We use Cisco Umbreall/OpenDNS for secure DNS and web protection. Cisco Umbrella setup guide says that they use DNSCrypt for secure DNS queries. This setup has worked flawless for years until about two weeks ago,. We began getting alerts that the two IP address from OpenDNS (Cisco Umbrella) are now being flagged periodically as threat 18003 DNS C2 Traffic. Any reason why now the PA's are flagging and dropping this traffic? It used to not do this. No changes to the OpenDNS/Cisco Umbrealla environment. We have verified with pcap traffic and other means that this is indeed traffic from OpenDNS connectors and Cisco Umbrella. Any suggestions would be helpful with helping silence these alerts. We obviously don't want to kill all alerts on C2 DNS traffic, just address the noisy false-positives that we are now seeing. Thanks in advance.
... View more