https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cisco-umbrella-opendns-queries-now-being-flagged-as-threat-18003/m-p/235045#M431 <P>Hello,</P><P>If you are still getting the alerts, I would update your dynamic definitions and maybe even open a TAC case to see what is/was causing the issues.</P><P>&nbsp;</P><P>Regards,</P> Thu, 11 Oct 2018 21:24:35 GMT OtakarKlier 2018-10-11T21:24:35Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cisco-umbrella-opendns-queries-now-being-flagged-as-threat-18003/m-p/234940#M428 <P>We use Cisco Umbreall/OpenDNS for secure DNS and web protection.&nbsp;</P><P>&nbsp;</P><P>Cisco Umbrella setup guide says that they use DNSCrypt for secure DNS queries.</P><P>&nbsp;</P><P>This setup has worked flawless for years until about two weeks ago,. We began getting alerts that the two IP address from OpenDNS (Cisco Umbrella) are now being flagged periodically as threat 18003 DNS C2 Traffic.&nbsp; Any reason why now the PA's are flagging and dropping this traffic?&nbsp; It used to not do this. No changes to the OpenDNS/Cisco Umbrealla environment.</P><P>&nbsp;</P><P>We have verified with pcap traffic and other means that this is indeed traffic from OpenDNS connectors and Cisco Umbrella.&nbsp;</P><P>&nbsp;</P><P>Any suggestions would be helpful with helping silence these alerts. We obviously don't want to kill all alerts on C2 DNS traffic, just address the noisy false-positives that we are now seeing.&nbsp;</P><P>&nbsp;</P><P>Thanks in advance.</P><P>&nbsp;</P> Thu, 11 Oct 2018 15:02:16 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cisco-umbrella-opendns-queries-now-being-flagged-as-threat-18003/m-p/234940#M428 MarkBrophy 2018-10-11T15:02:16Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cisco-umbrella-opendns-queries-now-being-flagged-as-threat-18003/m-p/234990#M429 <P>Hello,</P><P>I have not seen this behavior on my systems. The way we are setup is that clients contact internal DNS and only our DNS servers can get to OpenDNS for resolution.</P><P>&nbsp;</P><P>Make sure your dynamic definitions are up to date. If that doesnt work, I would recommend opening a TAC case.</P><P>&nbsp;</P><P>Regards,</P> Thu, 11 Oct 2018 19:12:28 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cisco-umbrella-opendns-queries-now-being-flagged-as-threat-18003/m-p/234990#M429 OtakarKlier 2018-10-11T19:12:28Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cisco-umbrella-opendns-queries-now-being-flagged-as-threat-18003/m-p/235009#M430 <P>That is how we are setup as well. The OpenDNS connectors are just the secure connections for the needed lookups by DNS servers.&nbsp;</P><P>&nbsp;</P><P>Thanks.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 11 Oct 2018 19:42:27 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cisco-umbrella-opendns-queries-now-being-flagged-as-threat-18003/m-p/235009#M430 MarkBrophy 2018-10-11T19:42:27Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cisco-umbrella-opendns-queries-now-being-flagged-as-threat-18003/m-p/235045#M431 <P>Hello,</P><P>If you are still getting the alerts, I would update your dynamic definitions and maybe even open a TAC case to see what is/was causing the issues.</P><P>&nbsp;</P><P>Regards,</P> Thu, 11 Oct 2018 21:24:35 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cisco-umbrella-opendns-queries-now-being-flagged-as-threat-18003/m-p/235045#M431 OtakarKlier 2018-10-11T21:24:35Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cisco-umbrella-opendns-queries-now-being-flagged-as-threat-18003/m-p/235157#M432 <P>Mark, did you open a case with Support? We'd like to receive a DNSCrypt PCAP triggering the signature to provide it to our developers&nbsp;to have the signature improved.</P> Fri, 12 Oct 2018 17:41:48 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cisco-umbrella-opendns-queries-now-being-flagged-as-threat-18003/m-p/235157#M432 mivaldi 2018-10-12T17:41:48Z