rule 57878 and awsdns

I don't think this is caused by anything in the UTM - probably an issue somewhere between Google and you.  I've seen anti-UDP and anti-ICMP flooding activity for response packets from Google DNS, and more so in the last 7 weeks.

Cheers - Bob

The rule isn't triggered by the relative danger of an FQDN, just by the volume of packets received by the UTM from the remote name server.

I'm fairly certain that the rule is correct and that the problem is somewhere in the Internet between your UTM and the DNS server.  You can disable this rule on the 'Advanced' tab of 'Intrusion Prevention' or make an Exception for traffic from the name server(s) causing the drop.

Cheers - Bob

When capturing the DNS packets with tcpdump and taking a look into them with wireshark,wireshark is not complaining about them. However I don't whether would ever complain about the packet volume. The volume of these replies looks good, not bigger than other replies where UTM does not complain.

The issue arises for multiple provider DNS servers (different providers), but not for all queries for given DNS record.

Since the snort rule refers to "Microsoft Threat Management Gateway heap buffer overflow attempt" and we don't use Microsoft Threat Management Gateway, I will disable the rule.

but not only with google dns-server. If the sophos uses cleanbrowsing as dns-forwarder, same will be logged every day since weeks:

"57878: PROTOCOL-DNS Microsoft Threat Management Gateway heap buffer overflow attempt"

I've been seeing this alert since Jul 2021 (first alert 16 Jul 2021). Seems to only be related to Apple products (Apple TV, iPhone, iPad, iMac) as the destination and Google DNS as the source.