Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 16 replies
  • Answers 1 answer
  • Subscribers 12 subscribers
  • Views 115290 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

INDICATOR-COMPROMISE Suspicious .tk dns query

jdmoore0883

So I am getting emails about some bad DNS queries:

"INDICATOR-COMPROMISE Suspicious .tk dns query"

I have looked in to this, and for the most part, these are "legit" drops, but not ALL are...

Myself, I have signed up for a free .tk domain, and set it to my external IP, but I cannot resolve my domain to an IP because of these drops.


How can I "whitelist" MY .tk domain, while still blocking the others?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Ingovon Itter

    My guess is that the .tk domain is mainly used for illegal/spam activity.

    In my DNS debug log it shows my DNS resolving at 12:00am to "diasporanet.tk" which is perfectly ok, as I run a diaspora node which checks other nodes connectivity from time to time.

    You can switch off the attack patterns (Network Protection - IPS) of DNS altogether. But that I think is not est practice. I can live with that few warning mails at midnight.

    However the rule should be adapted, its too strong from my point of view.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML