With our XG we periodically get ATP reports that our DC/DNS servers are part of a botnet (C2/Generic)... Now it seems obvious that this is perhaps not strictly the case and that other devices on the network are making DNS lookups to known bad places through DNS servers. This is confirmed by I presume heartbeat (DC has advanced central endpoint on it) which identifies the process as dns.exe...
Yesterday I changed the way our DNS worked on the XG to try and get an idea of what is actually behind these ATP events. Before it was forwarding DNS requests to our DCs but I changed this to forward responses to external DNS servers and created request routes for our internal servers.
This has worked for the most part but I have discovered that AD binding was no longer working due to missing SRV records. It seems I can't create request routes or the records themselves on the XG in the interface.
So... at some point I'm probably going to have to go back to the old DNS setup but was hoping someone might have a bright idea on how to deal with this situation!
This thread was automatically locked due to age.
