11-04-2014 01:57 PM
I am seeing a huge amount of traffic outbound from my DNS server that seems to be being dropped by the firewall. Its being dropped because my application rule says "allow DNS server to talk DNS to the internet", it doesn't match that (because its not DNS application according to PAN) and so its dropped.
Whats happening is that there is a large amount of UDP 53 traffic that's not being classified as DNS application.
Anyone seen this before?
Thoughts from me are:
1) Its some sort of DNS tunnelling going on (possible I suppose? Could be a variation PAN don't know about)
2) The DNS traffic is doing authoritative lookups on non-Latin domain names and the unicoding of the request is not supported by PAN?
3) Being UDP obviously it could be a spoofed source I suppose (seems unlikely so far)
I have yet to fully investigate it (packet captures etc) but just wondered if anyone has seen this and/or if my idea #2 is a possibility?
Thanks
Andy
11-04-2014 02:01 PM
Hi Andy,
Can you look at the Bytes Sent and see the size of the traffic. What is the application it is classified as? Next if you do a test url for url in question, see what category you are getting. Also under Spyware setting, what is DNS action set to? Thank you.
11-04-2014 02:06 PM
Its classified as "N/A" and the sizes are a range (I've got about 55,000 lines of log messages I'm looking at with it in...) is between 67 bytes and 140 bytes - a big mixture.
I don't understand what you mean about a test url?
There is no spyware detection for this traffic, its just dropped traffic.
11-04-2014 02:09 PM
Did you check PAN threat logs, if any suspicious activity has been captured for this type of traffic.
Thanks
11-04-2014 02:14 PM
No, nothing in the threat log, its just being dropped by the firewall rules because its not DNS application according to PAN.
11-04-2014 03:03 PM
Hi Andy,
In that case we need to get pcap from traffic in question if that is possible and analyze what type of packets are those. Thank you.
11-04-2014 03:15 PM
I'm going to give that a go hopefully tomorrow, was just wondering in the meantime if anyone else had ever seen this type of traffic before?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
