Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

suspicious DNS traffic rule

We have recently added checkpoint and the "suspicious DNS traffic" rule is triggering incidents. We have identified the DC as per the templates but are trying to decrease incidents.

Find more posts tagged with

suspicious dns

dns

Accepted answers

curtisi

2016-06-13 08_21_52-SolarWinds Log & Event Manager.png

All comments

curtisi

It sounds like you've already started modifying the Approved DNS Servers User Defined Group, so is there traffic in/out on port 53 to any other devices?

marcusmm8

yes i have setup all my DCs but i still see traffic in/out on port 53 ... thoughts?

curtisi

Go to nDepth, and do a search for TCPTrafficAudit.DestinationPort = 53 AND TCPTrafficAudit.DestinationMachine =/= Approved DNS Server UDG

What comes up?

marcusmm8

Can I use a connector group vs a UDG for approved DNS server?

curtisi

Assuming it has all the relevant machines in it, sure. :-)

marcusmm8

( ( ( "Event Name" = TCPTrafficAudit ) AND ( DestinationPort = 53 ) ) AND ( ( "Event Name" = TCPTrafficAudit ) AND ( DestinationMachine outside::{ "Windows Server 2003 - DC" } ) ) ) AND ( ( "Event Name" = TCPTrafficAudit ) AND ( DestinationMachine outside::{ "Windows Server 2008/2012 - DC" } ) )

I ran the above, one of the destination machine was the IP of the actual firewall?

curtisi

Sounds like you need to exempt your firewall from that rule, then. Maybe it's doing some DNS caching at the border?

marcusmm8

How would that look like?