Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 16 replies
  • Answers 1 answer
  • Subscribers 12 subscribers
  • Views 115300 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

INDICATOR-COMPROMISE Suspicious .tk dns query

jdmoore0883

So I am getting emails about some bad DNS queries:

"INDICATOR-COMPROMISE Suspicious .tk dns query"

I have looked in to this, and for the most part, these are "legit" drops, but not ALL are...

Myself, I have signed up for a free .tk domain, and set it to my external IP, but I cannot resolve my domain to an IP because of these drops.


How can I "whitelist" MY .tk domain, while still blocking the others?



This thread was automatically locked due to age.
Parents
  • 0

    Got about 300 of these Intrusion Prevention Alerts today.

    Lots, but not all, seem to be contacting destinations like G.ROOT-SERVERS.NET

    Eg:

    *********
    Intrusion Prevention Alert

    An intrusion has been detected. The packet has been dropped automatically.
    You can toggle this rule between "drop" and "alert only" in WebAdmin.

    Details about the intrusion alert:

    Message........: INDICATOR-COMPROMISE Suspicious .tk dns query
    Details........: https://www.snort.org/search?query=39867
    Time...........: 2017-04-06 10:08:58
    Packet dropped.: yes
    Priority.......: low
    Classification.: Misc activity
    IP protocol....: 17 (UDP)

    Source IP address: 192.168.2.229
    Source port: 61828
    Destination IP address: 192.112.36.4 (G.ROOT-SERVERS.NET)
    Destination port: 53 (domain)

    --
    HA Status          : HA MASTER (node id: 2)
    System Uptime      : 55 days 11 hours 0 minutes
    System Load        : 2.28
    System Version     : Sophos UTM 9.411-3

    **********

    Destination IP address: 192.5.5.241 (f.root-servers.net)

    Destination IP address: 192.58.128.30 (j.root-servers.net)

    Destination IP address: 192.33.4.12 (c.root-servers.net)

    Destination IP address: 198.32.64.12

    Destination IP address: 128.8.10.90

    Destination IP address: 128.9.0.107

     

    So I don't think it actually has anything to do with .tk domains.

  • 0 in reply to jlbrown

    What you are seeing are Root hints from your domain controller. (zones that do not exist on the local DNS server) You will find it under the properties of your domain controller in DNS. I had the same problem with the .tk domain alert on a daily basis but then realized that it had to do with spam email. I recently upgraded to version 4.11 and the alerts stopped so I do not know if the new fix corrected any false positives.

     

    Gino

Reply
  • 0 in reply to jlbrown

    What you are seeing are Root hints from your domain controller. (zones that do not exist on the local DNS server) You will find it under the properties of your domain controller in DNS. I had the same problem with the .tk domain alert on a daily basis but then realized that it had to do with spam email. I recently upgraded to version 4.11 and the alerts stopped so I do not know if the new fix corrected any false positives.

     

    Gino

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML