DNS Lookups causing Firewall alerts

Our Cisco Firepower devices are alerting every time our Security Event Monitor (SEM) attempts to resolve a hostname to an IP address where the IP is a known porn site or hacker site. I realize that this is DNS just doing its normal job but it is still causing a bunch of logs, alerts and blocks on our FP devices. This issue is addressed in article

SEM Looks up a DNS Record from a Known Problem Site

SEM looks up a DNS Record from a Known Problem Site - Occasionally SEM will look up a DNS record from a site that is flagged by another product.

Mar 1, 2022•Success Center

FIRST PUBLISHED DATE

11/1/2018 4:50 PM

LAST PUBLISHED DATE

3/1/2022 5:07 PM

This explains clearly what is going on and how DNS works but does not give a solution how to stop it. I want to stop the SEM from making these DNS requests. I know I could just whitelist the SEM IP in the FP but I don't want to do that. I want to stop the SEM from querying DNS for names they already know are bad.

Find more posts tagged with

sem

lem

Accepted answers

All comments

mesverrum

This problem isn't really a SEM specific issue.

How would you prevent any Linux server that does dns lookups in the course of normal activity from making lookups against specific addresses? I feel like a hacky solution would be to insert all those bad domains into a hosts file on the server mapped to 0.0.0.0. Maybe someone else knows a more elegant solution but I wouldn't expect it be something specific within the SEM software, you'd need to manage this at the OS.