Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 13420 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9 making suspicious dns queries

computersupport

Hello, 

Lately, my UTM 9 has been doing suspicious DNS queries. I have IPS enabled and at least once a week I receive the following alert:

 

Message........: INDICATOR-COMPROMISE Suspicious .ml dns query
Details........: www.snort.org/search
Time...........: 2016-11-07 06:29:32
Packet dropped.: yes
Priority.......: high
Classification.: A Network Trojan was Detected IP protocol....: 17 (UDP)

Source IP address: 172.16.1.200
Source port: 51776
Destination IP address: 8.8.8.8 (google-public-dns-a.google.com) Destination port: 53 (domain)

 

The source IP address (172.16.1.200) is our internal DNS server. I have UTM configured to forward all DNS requests to our internal DNS server, which in turn has Google public DNS as forwarder. After receiving the above alert several times I turned on logging on my DNS server and every time that I receive the IPS alert, I can see that the queries for the suspicious DNS comes from one of the UTM's internal IP addresses. 

I know for a fact that the UTM is not forwarding a request from an internal client, because all of my clients and servers have my internal DNS set by DHCP. So there's no reason for a client to be sending a DNS query to the UTM. I even tried querying one of the suspicious domains names from my workstation and then checked the log on my DNS server and could see my workstation's IP address on the DNS log, the query wasn't forwarded by the UTM.

 

Can someone please shed some light as to why my UTM would be querying suspicious domain names? Or what steps can I take to stop UTM from querying these domain names?

 

Any help is greatly appreciated! Thanks!



This thread was automatically locked due to age.
  • 0

    Hi,

    Do a full Anti-Virus scan on the DNS server, UTM is detecting a Trojan located at your DNS server or it might be a false-positive. 

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Thanks for your reply.

    Actually, our DNS server is not infected. I DNS logging turned on my DNS server and I can see that the suspicious DNS query is originating from UTM and it sends the query to my DNS server, which can't resolve the domain name so it gets forwarded to Google's public DNS. At this point is where IPS detects the suspicious query and sends me an alert, stating my DNS server is source but it's really the UTM. 

  • 0 in reply to computersupport

    which features do you use on your UTM?

    possible some try to check the links for security reasons.

    seen this with other mail security

    If this is not caused by known feature you may have malicious software on your UTM ... but i think this is very unlikely.

     

    BTW: i would use UTM to connect to external DNS-servers (with split/policy-DNS for internal domain) and let internal servers use UTM as DNS-Proxy.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    I agree with Dirk.  You might want to consider DNS Best Practice.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Is it possible you have an infected client/workstation that is making a DNS request to a malicious site, and the client/workstation is using your UTM as it's default DNS server?

    -------------------------------

    Interesting [in-ter-uh-sting, -truh-sting, -tuh-res-ting]

    A word typically used by IT technicians to describe an issue they didn't expect, or never encountered, and don't know how to fix.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML