Spyware with DNS Protection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Spyware with DNS Protection

L1 Bithead

Hi All,

Our Firewall drop DNS traffic of C&C ( us.jaxonsorensen.club, news.sqllitlerver.info & log.osloger.biz) with source IP Address of Firewall. This issue after update the Threat 28/05/2020. 

 

Will appreciate any help/suggestions.

 

Best regards,

Khai

 

1 accepted solution

Accepted Solutions

@MP18 I think you got lost in the train of thought. @Khai-Huynh is saying that the DNS sinkhole actions are showing up for traffic where the firewall management IP is the source of the DNS queries. @Khai-Huynh is hinting that the firewall could be compromised since there should not be a reason for it to source queries to malicious domains. What I am saying here is that this is not a sign of a compromised firewall, since queries to malicious domains may happen when the firewall generates Threat Reports. Some of these threat reports are based on URL Filtering malware category detections (for example), and the firewall will source a DNS query to fill out IP address information in the Threat Reports (that may subsequently get caught in the Anti-Spyware DNS profile).

View solution in original post

6 REPLIES 6

L7 Applicator

This can be caused by the firewall running DNS proxy, or attempting to fill out the IP information in pre-defined threat reports. Check your Threat logs to see if these domains have been observed, and verify the threat reports to see if any generated reporting the malicious domain findings.

Thanks Mivaldi,

The problem here, I didn't configuration about the DNS Proxy. I checked all host in our network nothing query to spyware DNS. Only Firewall Palo alto request.

 

Thanks,

Khai

Check your URL Filtering logs.

 

I tested these and see that PA blocks them under threat as type spyware.

Source address is my PC and it is working as expected as i have dns sinkhole configured.

 

You will not see any traffic for these sites under url as it sinkholed.

MP

Help the community: Like helpful comments and mark solutions.

@MP18 I think you got lost in the train of thought. @Khai-Huynh is saying that the DNS sinkhole actions are showing up for traffic where the firewall management IP is the source of the DNS queries. @Khai-Huynh is hinting that the firewall could be compromised since there should not be a reason for it to source queries to malicious domains. What I am saying here is that this is not a sign of a compromised firewall, since queries to malicious domains may happen when the firewall generates Threat Reports. Some of these threat reports are based on URL Filtering malware category detections (for example), and the firewall will source a DNS query to fill out IP address information in the Threat Reports (that may subsequently get caught in the Anti-Spyware DNS profile).

Hi @mivaldi,

That's good ideas. I have a rules for blocked APT with malware url. Threat stopped when i disabled it.

 

So many thanks

Khai 

  • 1 accepted solution
  • 5363 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!