Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Subscribers 4 subscribers
  • Views 7858 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS Alert: Some internal hosts to (*.root-servers.net) Destination port: 53 (domain)

KrisJacobs

I'm in production now with our SG330.  Overall it's going GREAT!

 

I've been getting a lot of IPS Alerts when our Barracuda Spam Firewall and our Active Directory Domain Controllers try to talk to DNS root servers.

If I add those hosts to the DNS Servers section under Network Protection>Intrusion Prevention>Advanced>Performance Tuning that should take care of it yes?

 

Thank you!

-KJ



This thread was automatically locked due to age.
Parents
  • 0

    Kris, you might want to change your setup to DNS Best Practice.  We would need to see the warning to be able to have an idea about the 'Advanced' tab.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks Bob, I'll read DNS Best Practice.

    I'm getting IPS hits on Rule ID 39866:  INDICATOR-COMPROMISE Suspicious .ml dns query.

    It is always for internal servers reaching out to either Google's DNS Servers at 8.8.8.8 & 8.8.4.4, or the various hosts at *.root-servers.net

    ____________________________
    Kris Jacobs
    Network Administrator
    Calhoun County IT Department
    Battle Creek, Michigan   USA

  • 0 in reply to KrisJacobs

    DNS Best Practice Rule #1 seems contradictory to what I read in UTM when looking at Network Services > DNS > Allowed networks.

    "If you already run an internal DNS server (for example as part of Active Directory), you should leave this setting empty."

     

    We do, Active Directory Domain Controllers.  That is why I've left it blank.

    ____________________________
    Kris Jacobs
    Network Administrator
    Calhoun County IT Department
    Battle Creek, Michigan   USA

  • +1 in reply to KrisJacobs

    All I can tell you, Kris, is that 18 months ago, someone at Sophos thought the approach in that post was correct enough to copy it in to a KnowledgeBase article: Best practice: DNS Configuration on the Sophos UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML