https://live.paloaltonetworks.com/t5/general-topics/non-rfc-compliant-dns-traffic-on-port-53-5353/m-p/555835#M112877 <P>you can enable packetcapture in the threat log so you can capture one of these DNS queries to see what they look like</P> <P>that pcap can then be used to report a false positive with Palo TAC or get back to vodafone and let them know about potentially malformed dns queries</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>hope this helps</P> <P>T</P> Wed, 30 Aug 2023 11:43:21 GMT reaper 2023-08-30T11:43:21Z https://live.paloaltonetworks.com/t5/general-topics/non-rfc-compliant-dns-traffic-on-port-53-5353/m-p/555830#M112876 <P>HI,</P> <P>Continuously receiving vulnerability threat events (<SPAN title="ID: Non-RFC Compliant DNS Traffic on Port 53/5353(56538) Desc: Non-RFC Compliant DNS Traffic on Port 53/5353(56538)"><SPAN title="">Non-RFC Compliant DNS Traffic on Port 53/5353(56538))&nbsp;</SPAN></SPAN> form the same source IP towards our PA public IP addresses.&nbsp; The source is also clean and belongs to Vodafone ISP.</P> <P>&nbsp;</P> <P>I could not find any other trace to resolve the issue.</P> <P>&nbsp;</P> <P>Please assist how I can proceed to resolve it.&nbsp; What action I should take to find the root cause?</P> <P>&nbsp;</P> <P>Sample Log:</P> <P>&lt;14&gt;Aug 30 13:34:07 PA-FW-SEC LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|10.2.3-h4|Non-RFC Compliant DNS Traffic on Port 53/5353(56538)|x7C|ReceiveTime=2023/08/30 13:34:07|SerialNumber=016301009873|cat=THREAT|Subtype=vulnerability|devTime=Aug 30 2023 08:04:07 GMT|src=123.63.124.44|dst=x.x.246.105|srcPostNAT=0.0.0.0|dstPostNAT=0.0.0.0|RuleName=DNS-Inbound|usrName=|SourceUser=|DestinationUser=|Application=dns-base|VirtualSystem=vsys1|SourceZone=OUTSIDE-WAN|DestinationZone=DMZ|IngressInterface=ethernet1/17|EgressInterface=ethernet1/19|LogForwardingProfile=Qradar|SessionID=534411|RepeatCount=1|srcPort=52731|dstPort=53|srcPostNATPort=0|dstPostNATPort=0|Flags=0x2000|proto=tcp|action=alert|Miscellaneous=|ThreatID=Non-RFC Compliant DNS Traffic on Port 53/5353(56538)|URLCategory=any|sev=1|Severity=informational|Direction=client-to-server|sequence=7269186445734632983|ActionFlags=0x8000000000000000|SourceLocation=India|DestinationLocation=India|ContentType=|PCAP_ID=0|FileDigest=|Cloud=|URLIndex=0|RequestMethod=|Subject=|DeviceGroupHierarchyL1=97|DeviceGroupHierarchyL2=0|DeviceGroupHierarchyL3=0|DeviceGroupHierarchyL4=0|vSrcName=|DeviceName=ALCOB-PA-FW-SEC|SrcUUID=|DstUUID=|TunnelID=0|MonitorTag=|ParentSessionID=0|ParentStartTime=|TunnelType=N/A|ThreatCategory=protocol-anomaly|ContentVer=AppThreat-8749-8252</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 30 Aug 2023 10:17:54 GMT https://live.paloaltonetworks.com/t5/general-topics/non-rfc-compliant-dns-traffic-on-port-53-5353/m-p/555830#M112876 Arunkumar27 2023-08-30T10:17:54Z https://live.paloaltonetworks.com/t5/general-topics/non-rfc-compliant-dns-traffic-on-port-53-5353/m-p/555835#M112877 <P>you can enable packetcapture in the threat log so you can capture one of these DNS queries to see what they look like</P> <P>that pcap can then be used to report a false positive with Palo TAC or get back to vodafone and let them know about potentially malformed dns queries</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>hope this helps</P> <P>T</P> Wed, 30 Aug 2023 11:43:21 GMT https://live.paloaltonetworks.com/t5/general-topics/non-rfc-compliant-dns-traffic-on-port-53-5353/m-p/555835#M112877 reaper 2023-08-30T11:43:21Z https://live.paloaltonetworks.com/t5/general-topics/non-rfc-compliant-dns-traffic-on-port-53-5353/m-p/555836#M112878 <P>you can enable packetcapture in the threat log so you can capture one of these DNS queries to see what they look like</P> <P>that pcap can then be used to report a false positive with Palo TAC or get back to vodafone and let them know about potentially malformed dns queries</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>hope this helps</P> <P>T</P> Wed, 30 Aug 2023 11:43:27 GMT https://live.paloaltonetworks.com/t5/general-topics/non-rfc-compliant-dns-traffic-on-port-53-5353/m-p/555836#M112878 reaper 2023-08-30T11:43:27Z