Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 16 replies
  • Answers 1 answer
  • Subscribers 12 subscribers
  • Views 115285 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

INDICATOR-COMPROMISE Suspicious .tk dns query

jdmoore0883

So I am getting emails about some bad DNS queries:

"INDICATOR-COMPROMISE Suspicious .tk dns query"

I have looked in to this, and for the most part, these are "legit" drops, but not ALL are...

Myself, I have signed up for a free .tk domain, and set it to my external IP, but I cannot resolve my domain to an IP because of these drops.


How can I "whitelist" MY .tk domain, while still blocking the others?



This thread was automatically locked due to age.
Parents
  • 0

    Got about 300 of these Intrusion Prevention Alerts today.

    Lots, but not all, seem to be contacting destinations like G.ROOT-SERVERS.NET

    Eg:

    *********
    Intrusion Prevention Alert

    An intrusion has been detected. The packet has been dropped automatically.
    You can toggle this rule between "drop" and "alert only" in WebAdmin.

    Details about the intrusion alert:

    Message........: INDICATOR-COMPROMISE Suspicious .tk dns query
    Details........: https://www.snort.org/search?query=39867
    Time...........: 2017-04-06 10:08:58
    Packet dropped.: yes
    Priority.......: low
    Classification.: Misc activity
    IP protocol....: 17 (UDP)

    Source IP address: 192.168.2.229
    Source port: 61828
    Destination IP address: 192.112.36.4 (G.ROOT-SERVERS.NET)
    Destination port: 53 (domain)

    --
    HA Status          : HA MASTER (node id: 2)
    System Uptime      : 55 days 11 hours 0 minutes
    System Load        : 2.28
    System Version     : Sophos UTM 9.411-3

    **********

    Destination IP address: 192.5.5.241 (f.root-servers.net)

    Destination IP address: 192.58.128.30 (j.root-servers.net)

    Destination IP address: 192.33.4.12 (c.root-servers.net)

    Destination IP address: 198.32.64.12

    Destination IP address: 128.8.10.90

    Destination IP address: 128.9.0.107

     

    So I don't think it actually has anything to do with .tk domains.

  • 0 in reply to jlbrown

    This is an indication that there could be a problem with name resolution in your network or with the configuration in the UTM.  How does your config differ from DNS best practice?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    DNS Best Practice:

    1. Allowed networks. Left blank as we have internal DNS.

    2. Forwarders. OpenDNS 1 and OpenDNS 2. Use ISP forwarders is not checked.

    3. I have nothing in Request Routing. Not sure of your instructions - do I actually put '20.16.172.in-addr.arpa -> {Internal DNS}' in the Domain field, and put the internal DNS in Target servers? Or do you mean put '20.16.172.in-addr.arpa' in Domain, and drag the Internal DNS host into Target Servers? 

    5. Doesn't this happen automatically?

    James.

  • 0 in reply to jlbrown

    3. Yes, "put '20.16.172.in-addr.arpa' in Domain, and drag the Internal DNS host into Target Servers."  Thanks! - I've corrected/clarified that in the DNS post.

    5. In Windows Server, at least when I last set up a Windows server, only the IP of the server is included.  Even then, only if DNS is already configured on the server when you configure DHCP.

    I would try conforming to DNS Best Practice to see if your DC stops trying to go to the root name servers.  This should also speed up browsing.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to jlbrown

    3. Yes, "put '20.16.172.in-addr.arpa' in Domain, and drag the Internal DNS host into Target Servers."  Thanks! - I've corrected/clarified that in the DNS post.

    5. In Windows Server, at least when I last set up a Windows server, only the IP of the server is included.  Even then, only if DNS is already configured on the server when you configure DHCP.

    I would try conforming to DNS Best Practice to see if your DC stops trying to go to the root name servers.  This should also speed up browsing.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML