DNS not DNS? Strange UDP 53?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DNS not DNS? Strange UDP 53?

L1 Bithead

I am seeing a huge amount of traffic outbound from my DNS server that seems to be being dropped by the firewall. Its being dropped because my application rule says "allow DNS server to talk DNS to the internet", it doesn't match that (because its not DNS application according to PAN) and so its dropped.

Whats happening is that there is a large amount of UDP 53 traffic that's not being classified as DNS application.

Anyone seen this before?

Thoughts from me are:

1) Its some sort of DNS tunnelling going on (possible I suppose? Could be a variation PAN don't know about)

2) The DNS traffic is doing authoritative lookups on non-Latin domain names and the unicoding of the request is not supported by PAN?

3) Being UDP obviously it could be a spoofed source I suppose (seems unlikely so far)

I have yet to fully investigate it (packet captures etc) but just wondered if anyone has seen this and/or if my idea #2 is a possibility?

Thanks

Andy

6 REPLIES 6

L5 Sessionator

Hi Andy,

Can you look at the Bytes Sent and see the size of the traffic. What is the application it is classified as? Next if you do a test url for url in question, see what category you are getting. Also under Spyware setting, what is DNS action set to? Thank you.

Its classified as "N/A" and the sizes are a range (I've got about 55,000 lines of log messages I'm looking at with it in...) is between 67 bytes and 140 bytes - a big mixture.

I don't understand what you mean about a test url?

There is no spyware detection for this traffic, its just dropped traffic.

Did you check PAN threat logs, if any suspicious activity has been captured for this type of traffic.

Thanks

No, nothing in the threat log, its just being dropped by the firewall rules because its not DNS application according to PAN.

Hi Andy,

In that case we need to get pcap from traffic in question if that is possible and analyze what type of packets are those. Thank you.

I'm going to give that a go hopefully tomorrow, was just wondering in the meantime if anyone else had ever seen this type of traffic before?

  • 3939 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!