False positives in log for dns

Question

Attack : PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority 
 
 Receiving thousands of these, coming from my 2 inside DNS servers.... what is causing this alert?

Aditya Patel · Answer

Hi All, 
 To take a PCAP from your XG , you may need conduct the following steps 
 Step 1: Capture the traffic via tcpdump 
 console>tcpdump filedump verbose count 10000 'host 1.1.1.1 -s0 #where 1.1.1.1 is the host address you would monitor, for this issue 8.8.8.8. 
 Step 2: Execute the command in Shell access option 5-3 
 #mount -w -o remount / 
 Step 3: Copy the File to a different path 
 #cp /tmp/data/tcpdump.pcap /usr/share/userportal/tcpdump.pcap 
 Step 4: Download the File from your XG user portal via URL . 
 https://<Your XG interface address>/tcpdump.pcap

Aditya Patel · Answer

HI Alex, 
 Thank you for the PCAP , Could you share the logs from the reports that were detected? That should help us analyze the logs. 
 As for the port you may use console>tcpdump filedump verbose count 10000 'port 53 -s0 #where 53 is the port address you would monitor for DNS queries.