Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 3 subscribers
  • Views 4055 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS logs from my internal DNS Servers

ThomasRandolph

I have a UTM 625 and I am getting IPS logs that show the source address as my internal DNS servers. From what I can tell it is just DNS queries and there are not many packets, but was wondering if this is normal. I have IPS set to drop packets silently, but not sure why they are getting flagged.



This thread was automatically locked due to age.
Parents
  • 0

    Digging a little further in the report, it appears that my DNS server is requesting a site from a known blacklisted malware domain. Now the question is how to identify the client making the DNS request. Since my machines request DNS from the internal servers and the servers have forwarders to our ISP, I don't see the client DNS request on the UTM.

Reply
  • 0

    Digging a little further in the report, it appears that my DNS server is requesting a site from a known blacklisted malware domain. Now the question is how to identify the client making the DNS request. Since my machines request DNS from the internal servers and the servers have forwarders to our ISP, I don't see the client DNS request on the UTM.

Children
No Data