Misidentified DNS Traffic

**Giljorak** · 09-22-2010, 02:47 PM

First of all thanks for the awesome product. It is working well now that I have a box that can handle the modules I want to use.

Protocol Control is identifying some DNS traffic as other protocols.
My DHCP scope has the following statement for DNS servers:
option domain-name-servers 4.2.2.1, 8.8.8.8, 208.67.222.222, 8.8.4.4, 68.87.85.98;

Port 53 (DNS) is being misidentified on occasion as:
(S)NTP, NBNS, STUN, World of Warcraft & X Windows Version 11
(S)NTP was by far the most misidentified.

Here is a bit of the log:

Code:

9/20/2010 5:03	PC1	(S)NTP			FALSE	208.67.222.222	53
9/20/2010 9:03	PC2	(S)NTP			FALSE	8.8.8.8		53
9/20/2010 11:13	PC2	STUN			FALSE	68.87.85.98	53
9/20/2010 11:17	PC3	(S)NTP			FALSE	68.87.85.98	53
9/20/2010 14:09	PC4	X Windows Version 11	FALSE	4.2.2.1		53
9/20/2010 17:52	PC4	World of Warcraft	FALSE	4.2.2.1		53
9/20/2010 20:29	S1	NBNS			FALSE	8.8.4.4		53

I am not noticing any issues with internet access.

**jcoffin** · 09-22-2010, 02:57 PM

Procotol uses packet signatures to flag or block on all ports. To avoid this extra logging, change port 53 to bypass the UVM by using bypass rules in Networking.

**Giljorak** · 09-22-2010, 03:02 PM

sounds good.
thanks for the fast reply

**dwasserman** · 09-27-2010, 12:27 PM

Can be a security issue bypass port 53 from inside. What if the protocol control work well and is blocking some DNS attack from inside to DNS servers?

Im in the 11´s kind of people, the paranoic

**eth><** · 09-28-2010, 07:36 AM

Originally Posted by Giljorak

First of all thanks for the awesome product. It is working well now that I have a box that can handle the modules I want to use.

Protocol Control is identifying some DNS traffic as other protocols.
My DHCP scope has the following statement for DNS servers:
option domain-name-servers 4.2.2.1, 8.8.8.8, 208.67.222.222, 8.8.4.4, 68.87.85.98;

Port 53 (DNS) is being misidentified on occasion as:
(S)NTP, NBNS, STUN, World of Warcraft & X Windows Version 11
(S)NTP was by far the most misidentified.

Here is a bit of the log:

Code:

9/20/2010 5:03	PC1	(S)NTP			FALSE	208.67.222.222	53
9/20/2010 9:03	PC2	(S)NTP			FALSE	8.8.8.8		53
9/20/2010 11:13	PC2	STUN			FALSE	68.87.85.98	53
9/20/2010 11:17	PC3	(S)NTP			FALSE	68.87.85.98	53
9/20/2010 14:09	PC4	X Windows Version 11	FALSE	4.2.2.1		53
9/20/2010 17:52	PC4	World of Warcraft	FALSE	4.2.2.1		53
9/20/2010 20:29	S1	NBNS			FALSE	8.8.4.4		53

I am not noticing any issues with internet access.

i got the same issue 2 days ago, discover it in the rapports yesterday.

maybe a new sort of scan or bad traffic through port 53
in the past i noticed a similar issue on port 53 with socks5 and not DNS indent.
Would be very interesting to find out what exactly's behind that kind of issues

**eth><** · 09-29-2010, 11:56 AM

http://www.abuse.ch/?p=2796

i hope, it is not this one

Protect

Filter

Perform

Connect

Manage

Add-Ons

Thread: Misidentified DNS Traffic

LinkBack

Thread Tools

Misidentified DNS Traffic

Posting Permissions