This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

DNS not DNS? Strange UDP 53?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

DNS not DNS? Strange UDP 53?

Andy_K
L1 Bithead

‎11-04-2014 01:57 PM

I am seeing a huge amount of traffic outbound from my DNS server that seems to be being dropped by the firewall. Its being dropped because my application rule says "allow DNS server to talk DNS to the internet", it doesn't match that (because its not DNS application according to PAN) and so its dropped.

Whats happening is that there is a large amount of UDP 53 traffic that's not being classified as DNS application.

Anyone seen this before?

Thoughts from me are:

1) Its some sort of DNS tunnelling going on (possible I suppose? Could be a variation PAN don't know about)

2) The DNS traffic is doing authoritative lookups on non-Latin domain names and the unicoding of the request is not supported by PAN?

3) Being UDP obviously it could be a spoofed source I suppose (seems unlikely so far)

I have yet to fully investigate it (packet captures etc) but just wondered if anyone has seen this and/or if my idea #2 is a possibility?

Thanks

Andy

Labels:
0 Likes Likes
6 REPLIES 6

ssharma
L5 Sessionator

‎11-04-2014 02:01 PM

Hi Andy,

Can you look at the Bytes Sent and see the size of the traffic. What is the application it is classified as? Next if you do a test url for url in question, see what category you are getting. Also under Spyware setting, what is DNS action set to? Thank you.

0 Likes Likes

Andy_K
L1 Bithead
In response to ssharma

‎11-04-2014 02:06 PM

Its classified as "N/A" and the sizes are a range (I've got about 55,000 lines of log messages I'm looking at with it in...) is between 67 bytes and 140 bytes - a big mixture.

I don't understand what you mean about a test url?

There is no spyware detection for this traffic, its just dropped traffic.

0 Likes Likes

HULK
L7 Applicator
In response to Andy_K

‎11-04-2014 02:09 PM

Did you check PAN threat logs, if any suspicious activity has been captured for this type of traffic.

Thanks

0 Likes Likes

Andy_K
L1 Bithead
In response to HULK

‎11-04-2014 02:14 PM

No, nothing in the threat log, its just being dropped by the firewall rules because its not DNS application according to PAN.

0 Likes Likes

ssharma
L5 Sessionator
In response to Andy_K

‎11-04-2014 03:03 PM

Hi Andy,

In that case we need to get pcap from traffic in question if that is possible and analyze what type of packets are those. Thank you.

0 Likes Likes

Andy_K
L1 Bithead
In response to ssharma

‎11-04-2014 03:15 PM

I'm going to give that a go hopefully tomorrow, was just wondering in the meantime if anyone else had ever seen this type of traffic before?

0 Likes Likes
  • 3392 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks