We use Cisco Umbreall/OpenDNS for secure DNS and web protection.
Cisco Umbrella setup guide says that they use DNSCrypt for secure DNS queries.
This setup has worked flawless for years until about two weeks ago,. We began getting alerts that the two IP address from OpenDNS (Cisco Umbrella) are now being flagged periodically as threat 18003 DNS C2 Traffic. Any reason why now the PA's are flagging and dropping this traffic? It used to not do this. No changes to the OpenDNS/Cisco Umbrealla environment.
We have verified with pcap traffic and other means that this is indeed traffic from OpenDNS connectors and Cisco Umbrella.
Any suggestions would be helpful with helping silence these alerts. We obviously don't want to kill all alerts on C2 DNS traffic, just address the noisy false-positives that we are now seeing.
Thanks in advance.
I have not seen this behavior on my systems. The way we are setup is that clients contact internal DNS and only our DNS servers can get to OpenDNS for resolution.
Make sure your dynamic definitions are up to date. If that doesnt work, I would recommend opening a TAC case.
That is how we are setup as well. The OpenDNS connectors are just the secure connections for the needed lookups by DNS servers.
If you are still getting the alerts, I would update your dynamic definitions and maybe even open a TAC case to see what is/was causing the issues.
Mark, did you open a case with Support? We'd like to receive a DNSCrypt PCAP triggering the signature to provide it to our developers to have the signature improved.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!