Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

INDICATOR-COMPROMISE Suspicious .tk dns query

So I am getting emails about some bad DNS queries:

"INDICATOR-COMPROMISE Suspicious .tk dns query"

I have looked in to this, and for the most part, these are "legit" drops, but not ALL are...

Myself, I have signed up for a free .tk domain, and set it to my external IP, but I cannot resolve my domain to an IP because of these drops.


How can I "whitelist" MY .tk domain, while still blocking the others?



This thread was automatically locked due to age.
  • I had just the same:

    Message........: INDICATOR-COMPROMISE Suspicious .tk dns query

    Details........: https://www.snort.org/search?query=39867

    Time...........: 2016-09-07 00:00:42

    Packet dropped.: yes

    Priority.......: high

    Classification.: A Network Trojan was Detected IP protocol....: 17 (UDP)

    Originating IP is my internal DNS Server, destination is my upstream DNS server (ORSN public DNS).

    Strange, the snort URL goes into Nirvana, and nothing can by found about that SID.

  • we have the same Problem.

    Can somewone tell the reason ?

  • My guess is that the .tk domain is mainly used for illegal/spam activity.

    In my DNS debug log it shows my DNS resolving at 12:00am to "diasporanet.tk" which is perfectly ok, as I run a diaspora node which checks other nodes connectivity from time to time.

    You can switch off the attack patterns (Network Protection - IPS) of DNS altogether. But that I think is not est practice. I can live with that few warning mails at midnight.

    However the rule should be adapted, its too strong from my point of view.

  • I've seen the same thing as Edmund.

    The link to SNORT is not valid at the time of this posting - returns no results for 39867.

    Is this a valid alert still?

  • Same issue here. It's blocking requests made by my anti-spam system to a blacklist provider.

    Is there a way to OK DNS requests to a single domain and leave the rest of the system as is?

  • you could try to edit this file:

    /etc/snort/rules/astaro.rules


    Remove this line:

    drop udp $HOME_NET any -> any 53 (msg:"D INDICATOR-COMPROMISE Suspicious .tk dns query " group="241"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|tk|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; classtype:trojan-activity; sid:39867;)

    I don't know how long this lasts, probably until next pattern update...

  • I am encountering this as well.  My anti-spam appliance is being blocked from some DNS lookups of potentially malicious domains, specifically those ending in .tk.  I'm trying to come up with a way to allow the traffic, without disabling too many features in the IPS module.  Of course the question is, do I even want to allow my anti-spam appliance doing DNS lookups of potentially malicious sites?  Nevertheless, here is what I came up with.  Anyone know if this would work?

     

    Under Network Protection > Intrusion Prevention > Exceptions

    Create a New Exceptions List with the following settings:

    Skip These Checks: Intrusion Prevention

    For All Request Coming From: Anti-Spam Appliance

    And Using These Services: DNS

     

    Regards,

    -------------------------------

    Interesting [in-ter-uh-sting, -truh-sting, -tuh-res-ting]

    A word typically used by IT technicians to describe an issue they didn't expect, or never encountered, and don't know how to fix.

  • That should do what you want.

    Here's a nifty trick that others can use to block all DNS inquiries to the .tk TLD: Block a TLD

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob, I am having the same issue with the .tk domain that keeps triggering the IPS. On your nifty trick, do I just use the IP address triggered by the IPS or is there a way to block the domain itself? I already have a DNAT in place to block IP addresses but I feel its not working. You seem to be the go-to-guy in all the forums I read and your thoughts have really helped me.

    Thanks

     

    Gino.