DNS Servers being blocked



  • Off and on I see DNS servers being blocked. Like now, I see 8.8.8.8 being blocked for "SURICATA DNS Unsolicited response". I've seen Google, OpenDNS, and Quad9 DNS IPs be blocked for various reasons. Some, it's because of the response generated with an IP of a malicious domain. I assume it's because an infected machine queried for a honeypot or other known bad IP but it blocks the DNS server for the response. Ultimately I suppose I'd prefer the DNS servers not respond to those requests but there isn't really a way to stop them. Do I need to whitelist the IPs for the DNS servers? Is that normal?



  • @stewart said in DNS Servers being blocked:

    Off and on I see DNS servers being blocked. Like now, I see 8.8.8.8 being blocked for "SURICATA DNS Unsolicited response". I've seen Google, OpenDNS, and Quad9 DNS IPs be blocked for various reasons. Some, it's because of the response generated with an IP of a malicious domain. I assume it's because an infected machine queried for a honeypot or other known bad IP but it blocks the DNS server for the response. Ultimately I suppose I'd prefer the DNS servers not respond to those requests but there isn't really a way to stop them. Do I need to whitelist the IPs for the DNS servers? Is that normal?

    Yes, it is customary to whitelist the DNS servers used by the firewall and your clients (or put them in a Pass List) when using Legacy Mode.



  • @bmeeks

    I never realized that. We'll make the changes. Thanks!



  • @stewart said in DNS Servers being blocked:

    @bmeeks

    I never realized that. We'll make the changes. Thanks!

    The default Pass List will contain the DNS servers configured on the firewall, but if your clients are using something else (or if you are using forwarders) then you would need to manually add the other DNS servers to a Pass List.

    The easiest and most flexible way to do this is to create an Alias on the firewall to contain all of your trusted DNS server IP addresses. Then go to the PASS LISTS tab and create a custom pass list. Leave the default-checked options in place, and in the bottom text box start typing the name of the alias you configured. It should auto-populate. Save the the new list.

    Now go to the INTERFACE SETTINGS tab for the Suricata interface and scroll down until you see the section for specifying a Pass List. Select the name of your custom Pass List in the drop-down box and save the change. Restart Suricata on the interface and that should do it. Your trusted DNS hosts will no longer be blocked.



  • @bmeeks

    We have 9 different aliases that we implement that go into our Suricata alias that goes into the passlist. Email filtering services, hosted voip providers, compliance scanners, etc. Once it's set up, it's really easy to make the needed changes. Just need to make one for DNS. I appreciate the assistance!



  • @stewart said in DNS Servers being blocked:

    "SURICATA DNS Unsolicited response"

    Still, the DNS replies are being marked by Suricata (?) as "SURICATA DNS Unsolicited response".
    Ok to whitelist them upfront, but it keep me wondering : what else is dropped ?

    edit : anyway : never mind.



  • @gertjan said in DNS Servers being blocked:

    @stewart said in DNS Servers being blocked:

    "SURICATA DNS Unsolicited response"

    Still, the DNS replies are being marked by Suricata (?) as "SURICATA DNS Unsolicited response".
    Ok to whitelist them upfront, but it keep me wondering : what else is dropped ?

    edit : anyway : never mind.

    Here is a link I just found discussing this particular rule. Could be due to some asymmetric routing issue, or it could be malicious.



  • @stewart said in DNS Servers being blocked:

    @bmeeks

    We have 9 different aliases that we implement that go into our Suricata alias that goes into the passlist. Email filtering services, hosted voip providers, compliance scanners, etc. Once it's set up, it's really easy to make the needed changes. Just need to make one for DNS. I appreciate the assistance!

    And just to be clear -- putting a host in a Pass List will prevent a block but will not suppress the alert on the ALERTS tab. So you will still see alerts on this rule. If you want to suppress a particular rule entirely, then you can add the rule to a Suppress List. Doing that will prevent the alert and the corresponding block. Finally, you can also completely disable that particular rule and accomplish the same thing as a Suppress List entry. A Suppress List allows you more options for tailoring the alert suppression by host IP. Disabling a rule will disable it for all hosts. Disabling is more CPU efficient, though, since with a Suppress List the rule is still processed.



  • @bmeeks

    But if I whitelist just those legitimate IPs, I'm only accepting the potential DoS attacks from the likes of Google, OpenDNS, and QuadDNS specific DNS servers. I would think that would still leave me pretty safe.



  • @stewart said in DNS Servers being blocked:

    @bmeeks

    But if I whitelist just those legitimate IPs, I'm only accepting the potential DoS attacks from the likes of Google, OpenDNS, and QuadDNS specific DNS servers. I would think that would still leave me pretty safe.

    I agree. We have to trust some hosts out there, and the big DNS providers are probably OK.



  • @stewart said in DNS Servers being blocked:

    @bmeeks

    We have 9 different aliases that we implement that go into our Suricata alias that goes into the passlist. Email filtering services, hosted voip providers, compliance scanners, etc. Once it's set up, it's really easy to make the needed changes. Just need to make one for DNS. I appreciate the assistance!

    Good setup! Using the nested aliases feature is a great way to manage a firewall. Makes future maintenance changes easy to accomplish and much less prone to error. For example, removing a retired host or updating the IP address for an active host. You change it in one place (the affected alias) and that change is automatically propagated to all impacted firewall rules (and packages such as Suricata or Snort). No chance that you forget to change the IP in some rule if it's used in many places.



  • @bmeeks

    And while I know pfSense fairly well, it makes it easy to train and instruct other techs as they come onboard who aren't as knowledgeable.