Results 1 to 9 of 9
  1. #1
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,302

    Default threat prevention blocking DNS root hint servers

    I installed Threat Prevention today, just to see what it would do. I left it set on defaults, blocking only High Risk traffic.

    Before long I noticed a hundful of DNS lookups by my DNS server (Win 2012R2) being blocked as "High Risk". After looking at the reports for a bit, trying to determine if these were legit DNS lookups or I had something bad happening, I saw it blocking one of the root hint servers! specifically F.ROOT-SERVERS.NET. - 192.5.5.241

    I checked that I have the correct IP address, it is the current published address for that root hint server.

    Here is the threat report:
    Code:
    Threat Results
    Address/URL: 192.5.5.241
    Country: United States [US]
    Popularity: Lower than 10M [4]
    Recent Threat Count: 1 occurrences
    Age: 73 months
    Reputation: High Risk
    Details: These are high risk IP addresses. There is a high predictive risk that these IPs will deliver attacks - such as malicious payloads, DoS attacks, or others - to your infrastructure and endpoints.
    Note that it says that it's had a known DNS root hint server in it's threat list for 73 months.... SIX YEARS.

    Threat Prevention is 100% worthless (and actively harmful) if this is the quality of the threat database.
    Jim.Alles likes this.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,111

    Default

    Heh, I figured it was working as intended.

    DNS servers are all marked as "high threat" Why? Because DNS Sec in its various iterations is being handled by the browser to bypass your established DNS resolution path.

    Egress DNS from a known DNS server should be bypassed, and as such... exempt from Threat Prevention entirely. All of the rest of these lookups SHOULD block egress DNS to random locations, because Firefox / Google are bypassing filtration. Not Untangle's filtration mind you... because Web Filter works on the HTTPs session and not the DNS session, but still... I love the fact this module is actually forcing browsers to use the DNS path I configured.

    Furthermore... when I stuffed 192.5.5.241 into the Brightcloud it's marked benign. So perhaps you've got a bad lookup in there?
    hpaunet likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,302

    Default

    ok, this is a worthwhile discussion...

    I took the presence of a DNS root server in the threat list as pretty much ridiculous, proof the threat list can't be trusted at all. However I could see the logic you're suggesting, that direct DNS lookups should be considered something of a threat, and desired DNS traffic should be passed by rule. Still, having known legit DNS servers tagged as "High Threat" seems over the top. That should be reserved for genuinely malicious actors. Also, this was not the only DNS lookups that were being blocked, several IP's for lookups associated with google were tagged as High Threat too. If one wants to list legit DNS servers so that you can block unauthorized DNS access, I'd think the highest they ought to be listed is "Moderate Risk".

    As to your and my different results for 192.5.5.41, I can't explain that discrepancy (which is itself suspicious). I just checked it again, when I ask Threat Prevention for the report on 192.5.5.241 it still comes up High Threat. Naturally I've turned the module off until I can get some level of trust that the threat database is reasonably sane.

  4. #4
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,302

    Default

    I installed Threat Prevention at a different site, which happens to still be on 15.0 while the original site above is on 15.1, and I get the same result there when I lookup 192.5.5.241 - High Threat.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,111

    Default

    But stuff that IP into here: https://www.brightcloud.com/tools/url-ip-lookup.php

    Then things get really confusing... how is Brightcloud calling it a threat, and not at the same time?
    hpaunet likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untangler
    Join Date
    May 2018
    Posts
    60

    Default

    I see different results with the Threat Lookup in NG Firewall, which shows High Risk as the Reputation vs the Brightcloud lookup tool which simply shows Benign.

    Of interest is this article DNS over HTTPS. DNS Resolvers are considered a high threat and are categorized as "Proxy Avoidance and Anonymizers".

    To add color to the comments below, it is about the effectiveness of security and filtering policies. Filtering services rely on visibility into DNS traffic to block domains with malicious or unsuitable content. When they don't have it, they are no longer able to see the domain being visited. There have been businesses concerned that some browsers allowed users to configure their own DoH-supporting DNS resolver and completely bypass DNS resolver configuration that was standard for their company.
    Thus, classifying DNS Resolvers in category Proxy Avoidance and Anonymizers is used to ensure that by default the visibility is there.

    Now, as with other Untangle apps, defaults can be tweaked by using rules, and we're making that easier by adding a tab in the Threat Prevention app with the ability to specify pass sites.
    Jim.Alles likes this.
    Heather P
    Untangle Product Team

  7. #7
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,302

    Default

    Quote Originally Posted by hpaunet View Post
    To add color to the comments below, it is about the effectiveness of security and filtering policies. Filtering services rely on visibility into DNS traffic to block domains with malicious or unsuitable content. When they don't have it, they are no longer able to see the domain being visited. There have been businesses concerned that some browsers allowed users to configure their own DoH-supporting DNS resolver and completely bypass DNS resolver configuration that was standard for their company.
    Thus, classifying DNS Resolvers in category Proxy Avoidance and Anonymizers is used to ensure that by default the visibility is there.
    ok, this logic I can generally accept, though I still think calling known legit DNS resolvers "High Risk" is a bit too much... that assessment should be reserved for confirmed malicious actors. Certainly I did not expect installing Threat Protection with default settings would start blocking completely ordinary DNS requests. I can certainly see wanting to interfere with DoH if I'm controlling content to that degree, but that shouldn't be a default-level setting.

    It's interesting also that just a tiny handful of DNS requests were blocked, only to a half-dozen or so IP's including one of the 10 or so Root Hint servers. If I was expecting to actually block DoH with Threat Protection, I wouldn't be very happy. So I guess that also produced my initial knee-jerk reaction, the inconsistency of it pointed to a poorly populated threat database.
    hpaunet likes this.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,111

    Default

    I haven't seen Threat Prevention interfere with TCP or UDP 53, only TCP 443. Do you care that it's blocking TCP 443 to the root servers?

    Though the intermittence of the situation is an issue. But for me it's been utterly consistent, this copy of firefox won't leave cloudflare alone.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,302

    Default

    Quote Originally Posted by sky-knight View Post
    I haven't seen Threat Prevention interfere with TCP or UDP 53, only TCP 443. Do you care that it's blocking TCP 443 to the root servers?
    it was blocking UDP 53 to those servers, my dns server's routine DNS lookups.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2