Hello,
Lately, my UTM 9 has been doing suspicious DNS queries. I have IPS enabled and at least once a week I receive the following alert:
Message........: INDICATOR-COMPROMISE Suspicious .ml dns query
Details........: www.snort.org/search
Time...........: 2016-11-07 06:29:32
Packet dropped.: yes
Priority.......: high
Classification.: A Network Trojan was Detected IP protocol....: 17 (UDP)
Source IP address: 172.16.1.200
Source port: 51776
Destination IP address: 8.8.8.8 (google-public-dns-a.google.com) Destination port: 53 (domain)
The source IP address (172.16.1.200) is our internal DNS server. I have UTM configured to forward all DNS requests to our internal DNS server, which in turn has Google public DNS as forwarder. After receiving the above alert several times I turned on logging on my DNS server and every time that I receive the IPS alert, I can see that the queries for the suspicious DNS comes from one of the UTM's internal IP addresses.
I know for a fact that the UTM is not forwarding a request from an internal client, because all of my clients and servers have my internal DNS set by DHCP. So there's no reason for a client to be sending a DNS query to the UTM. I even tried querying one of the suspicious domains names from my workstation and then checked the log on my DNS server and could see my workstation's IP address on the DNS log, the query wasn't forwarded by the UTM.
Can someone please shed some light as to why my UTM would be querying suspicious domain names? Or what steps can I take to stop UTM from querying these domain names?
Any help is greatly appreciated! Thanks!
This thread was automatically locked due to age.
