https://live.paloaltonetworks.com/t5/general-topics/dns-not-dns-strange-udp-53/m-p/13806#M10127 <HTML><HEAD></HEAD><BODY><P>I am seeing a huge amount of traffic outbound from my DNS server that seems to be being dropped by the firewall. Its being dropped because my application rule says "allow DNS server to talk DNS to the internet", it doesn't match that (because its not DNS application according to PAN) and so its dropped.</P><P></P><P>Whats happening is that there is a large amount of UDP 53 traffic that's not being classified as DNS application.</P><P></P><P>Anyone seen this before?</P><P></P><P>Thoughts from me are:</P><P></P><P>1) Its some sort of DNS tunnelling going on (possible I suppose? Could be a variation PAN don't know about)</P><P></P><P>2) The DNS traffic is doing authoritative lookups on non-Latin domain names and the unicoding of the request is not supported by PAN?</P><P></P><P>3) Being UDP obviously it could be a spoofed source I suppose (seems unlikely so far)</P><P></P><P>I have yet to fully investigate it (packet captures etc) but just wondered if anyone has seen this and/or if my idea #2 is a possibility?</P><P></P><P>Thanks</P><P></P><P>Andy</P></BODY></HTML> Tue, 04 Nov 2014 21:57:56 GMT Andy_K 2014-11-04T21:57:56Z https://live.paloaltonetworks.com/t5/general-topics/dns-not-dns-strange-udp-53/m-p/13806#M10127 <HTML><HEAD></HEAD><BODY><P>I am seeing a huge amount of traffic outbound from my DNS server that seems to be being dropped by the firewall. Its being dropped because my application rule says "allow DNS server to talk DNS to the internet", it doesn't match that (because its not DNS application according to PAN) and so its dropped.</P><P></P><P>Whats happening is that there is a large amount of UDP 53 traffic that's not being classified as DNS application.</P><P></P><P>Anyone seen this before?</P><P></P><P>Thoughts from me are:</P><P></P><P>1) Its some sort of DNS tunnelling going on (possible I suppose? Could be a variation PAN don't know about)</P><P></P><P>2) The DNS traffic is doing authoritative lookups on non-Latin domain names and the unicoding of the request is not supported by PAN?</P><P></P><P>3) Being UDP obviously it could be a spoofed source I suppose (seems unlikely so far)</P><P></P><P>I have yet to fully investigate it (packet captures etc) but just wondered if anyone has seen this and/or if my idea #2 is a possibility?</P><P></P><P>Thanks</P><P></P><P>Andy</P></BODY></HTML> Tue, 04 Nov 2014 21:57:56 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-not-dns-strange-udp-53/m-p/13806#M10127 Andy_K 2014-11-04T21:57:56Z https://live.paloaltonetworks.com/t5/general-topics/dns-not-dns-strange-udp-53/m-p/13807#M10128 <HTML><HEAD></HEAD><BODY><P>Hi Andy,</P><P></P><P>Can you look at the Bytes Sent and see the size of the traffic. What is the application it is classified as? Next if you do a test url for url in question, see what category you are getting. Also under Spyware setting, what is DNS action set to? Thank you.</P></BODY></HTML> Tue, 04 Nov 2014 22:01:05 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-not-dns-strange-udp-53/m-p/13807#M10128 ssharma 2014-11-04T22:01:05Z https://live.paloaltonetworks.com/t5/general-topics/dns-not-dns-strange-udp-53/m-p/13808#M10129 <HTML><HEAD></HEAD><BODY><P>Its classified as "N/A" and the sizes are a range (I've got about 55,000 lines of log messages I'm looking at with it in...) is between 67 bytes and 140 bytes - a big mixture.</P><P></P><P>I don't understand what you mean about a test url?</P><P></P><P>There is no spyware detection for this traffic, its just dropped traffic.</P></BODY></HTML> Tue, 04 Nov 2014 22:06:50 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-not-dns-strange-udp-53/m-p/13808#M10129 Andy_K 2014-11-04T22:06:50Z https://live.paloaltonetworks.com/t5/general-topics/dns-not-dns-strange-udp-53/m-p/13809#M10130 <HTML><HEAD></HEAD><BODY><P>Did you check PAN threat logs, if any suspicious activity has been captured for this type of traffic.</P><P></P><P>Thanks</P></BODY></HTML> Tue, 04 Nov 2014 22:09:21 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-not-dns-strange-udp-53/m-p/13809#M10130 HULK 2014-11-04T22:09:21Z https://live.paloaltonetworks.com/t5/general-topics/dns-not-dns-strange-udp-53/m-p/13810#M10131 <HTML><HEAD></HEAD><BODY><P>No, nothing in the threat log, its just being dropped by the firewall rules because its not DNS application according to PAN.</P></BODY></HTML> Tue, 04 Nov 2014 22:14:10 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-not-dns-strange-udp-53/m-p/13810#M10131 Andy_K 2014-11-04T22:14:10Z https://live.paloaltonetworks.com/t5/general-topics/dns-not-dns-strange-udp-53/m-p/13811#M10132 <HTML><HEAD></HEAD><BODY><P>Hi Andy,</P><P></P><P>In that case we need to get pcap from traffic in question if that is possible and analyze what type of packets are those. Thank you.</P></BODY></HTML> Tue, 04 Nov 2014 23:03:05 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-not-dns-strange-udp-53/m-p/13811#M10132 ssharma 2014-11-04T23:03:05Z https://live.paloaltonetworks.com/t5/general-topics/dns-not-dns-strange-udp-53/m-p/13812#M10133 <HTML><HEAD></HEAD><BODY><P>I'm going to give that a go hopefully tomorrow, was just wondering in the meantime if anyone else had ever seen this type of traffic before?</P></BODY></HTML> Tue, 04 Nov 2014 23:15:02 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-not-dns-strange-udp-53/m-p/13812#M10133 Andy_K 2014-11-04T23:15:02Z