Spyware with DNS Protection

Reply
Highlighted
L1 Bithead

Spyware with DNS Protection

Hi All,

Our Firewall drop DNS traffic of C&C ( us.jaxonsorensen.club, news.sqllitlerver.info & log.osloger.biz) with source IP Address of Firewall. This issue after update the Threat 28/05/2020. 

 

Will appreciate any help/suggestions.

 

Best regards,

Khai

 


Accepted Solutions
Highlighted
L7 Applicator

@MP18 I think you got lost in the train of thought. @Khai-Huynh is saying that the DNS sinkhole actions are showing up for traffic where the firewall management IP is the source of the DNS queries. @Khai-Huynh is hinting that the firewall could be compromised since there should not be a reason for it to source queries to malicious domains. What I am saying here is that this is not a sign of a compromised firewall, since queries to malicious domains may happen when the firewall generates Threat Reports. Some of these threat reports are based on URL Filtering malware category detections (for example), and the firewall will source a DNS query to fill out IP address information in the Threat Reports (that may subsequently get caught in the Anti-Spyware DNS profile).

View solution in original post


All Replies
Highlighted
L7 Applicator

This can be caused by the firewall running DNS proxy, or attempting to fill out the IP information in pre-defined threat reports. Check your Threat logs to see if these domains have been observed, and verify the threat reports to see if any generated reporting the malicious domain findings.

Highlighted
L1 Bithead

Thanks Mivaldi,

The problem here, I didn't configuration about the DNS Proxy. I checked all host in our network nothing query to spyware DNS. Only Firewall Palo alto request.

 

Thanks,

Khai

Highlighted
L7 Applicator

Check your URL Filtering logs.

Cyber Elite

 

I tested these and see that PA blocks them under threat as type spyware.

Source address is my PC and it is working as expected as i have dns sinkhole configured.

 

You will not see any traffic for these sites under url as it sinkholed.

MP
Highlighted
L7 Applicator

@MP18 I think you got lost in the train of thought. @Khai-Huynh is saying that the DNS sinkhole actions are showing up for traffic where the firewall management IP is the source of the DNS queries. @Khai-Huynh is hinting that the firewall could be compromised since there should not be a reason for it to source queries to malicious domains. What I am saying here is that this is not a sign of a compromised firewall, since queries to malicious domains may happen when the firewall generates Threat Reports. Some of these threat reports are based on URL Filtering malware category detections (for example), and the firewall will source a DNS query to fill out IP address information in the Threat Reports (that may subsequently get caught in the Anti-Spyware DNS profile).

View solution in original post

Highlighted
L1 Bithead

Hi @mivaldi,

That's good ideas. I have a rules for blocked APT with malware url. Threat stopped when i disabled it.

 

So many thanks

Khai 

Tags (1)
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!