- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-11-2018 08:02 AM
We use Cisco Umbreall/OpenDNS for secure DNS and web protection.
Cisco Umbrella setup guide says that they use DNSCrypt for secure DNS queries.
This setup has worked flawless for years until about two weeks ago,. We began getting alerts that the two IP address from OpenDNS (Cisco Umbrella) are now being flagged periodically as threat 18003 DNS C2 Traffic. Any reason why now the PA's are flagging and dropping this traffic? It used to not do this. No changes to the OpenDNS/Cisco Umbrealla environment.
We have verified with pcap traffic and other means that this is indeed traffic from OpenDNS connectors and Cisco Umbrella.
Any suggestions would be helpful with helping silence these alerts. We obviously don't want to kill all alerts on C2 DNS traffic, just address the noisy false-positives that we are now seeing.
Thanks in advance.
10-11-2018 12:12 PM
Hello,
I have not seen this behavior on my systems. The way we are setup is that clients contact internal DNS and only our DNS servers can get to OpenDNS for resolution.
Make sure your dynamic definitions are up to date. If that doesnt work, I would recommend opening a TAC case.
Regards,
10-11-2018 12:42 PM
That is how we are setup as well. The OpenDNS connectors are just the secure connections for the needed lookups by DNS servers.
Thanks.
10-11-2018 02:24 PM
Hello,
If you are still getting the alerts, I would update your dynamic definitions and maybe even open a TAC case to see what is/was causing the issues.
Regards,
10-12-2018 10:41 AM
Mark, did you open a case with Support? We'd like to receive a DNSCrypt PCAP triggering the signature to provide it to our developers to have the signature improved.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!