Any ideas? dns gone rouge.
-
Hi, im pretty new to using pfsense and not the best when it comes to networking, i am trying to get better though.
Can anyone give me an idea what the logs below indicate please, everything was running fine then i noticed this happening.
Dns is now not working correctly and is trying to connect to 150.171.10.39-ns1-39.azure-dns.com and 64.4.48.3-ns2-03.azure-dns.net.I have dns setup to use quad 9 and use remote servers only.
I have snort running on wan which was throwing a lot of the below alerts.
14:23:01 2 UDP Attempted Information Leak 199.66.200.4 53 86.xx.xxx.xxx 64665 3:21355 PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid 2022-04-30 14:23:01 2 UDP Attempted Information Leak 178.255.82.125 53 86.xx.xxx.xxx 1667 3:21355 PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid 2022-04-30 14:23:01 2 UDP Attempted Information Leak 178.255.82.125 53 86.xx.xxx.xxx 54051 3:21355 PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid355 PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid 2022-04-30 14:23:01 2 UDP Attempted Information Leak 178.255.82.125 53 86.xx.xxx.xxx 1667 3:21355 PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid 2022-04-30 14:23:01 2 UDP Attempted Information Leak 178.255.82.125 53 86.xx.xxx.xxx 54051 3:21355 PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txidAnd a small section of the filterlog.
Apr 29 21:50:00 Home filterlog[20504]: 16,,,1000000109,pppoe0,match,block,in,4,0x0,,243,38526,0,none,6,tcp,40,79.124.62.86,86.xxx.xxx.xxx,43010,12175,0,S,3070030394,,1024,, Apr 29 21:50:01 Home filterlog[20504]: 8,,,1000000103,pppoe0,match,block,in,4,0x0,,245,30096,0,none,6,tcp,40,92.118.36.241,86.xx.xxx.xxx,45190,3386,0,S,1800090465,,1024,, Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,46528,0,none,17,udp,56,86.xxx.xxx.xxx,192.36.148.17,34776,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,3990,0,none,17,udp,56,86.xxx.xxx.xxx,198.41.0.4,27619,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,12692,0,none,17,udp,56,86.xxx.xxx.xxx,198.97.190.53,55084,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,42468,0,none,17,udp,56,86.xxx.xxx.xxx,198.97.190.53,5788,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,7889,0,none,17,udp,56,86.xxx.xxx.xxx,192.5.5.241,64351,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,44009,0,none,17,udp,56,86.xxx.xxx.xxx,199.7.91.13,21419,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,41997,0,none,17,udp,56,86.xxx.xxx.xxx,192.33.4.12,45348,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,18252,0,none,17,udp,56,86.xxx.xxx.xxx,192.5.5.241,45190,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,31003,0,none,17,udp,56,86.xxx.xxx.xxx,192.58.128.30,5039,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,2269,0,none,17,udp,56,86.xxx.xxx.xxx,193.0.14.129,35204,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,29857,0,none,17,udp,56,86.xxx.xxx.xxx,199.7.83.42,51412,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,59198,0,none,17,udp,56,86.xxx.xxx.xxx,199.7.83.42,35646,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,1027,0,none,17,udp,56,86.xxx.xxx.xxx,193.0.14.129,43481,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,58456,0,none,17,udp,56,86.xxx.xxx.xxx,199.9.14.201,58259,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,48248,0,none,17,udp,56,86.xxx.xxx.xxx,192.36.148.17,46832,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,34230,0,none,17,udp,56,86.xxx.xxx.xxx,198.97.190.53,56797,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,25198,0,none,17,udp,56,86.xxx.xxx.xxx,198.97.190.53,59701,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,28054,0,none,17,udp,56,86.xxx.xxx.xxx,192.112.36.4,15182,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,24501,0,none,17,udp,56,86.xxx.xxx.xxx,192.203.230.10,60398,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,2163,0,none,17,udp,56,86.xxx.xxx.xxx,192.33.4.12,10771,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,24715,0,none,17,udp,56,86.xxx.xxx.xxx,192.58.128.30,39724,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,35972,0,none,17,udp,56,86.xxx.xxx.xxx,192.33.4.12,50026,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,28278,0,none,17,udp,56,86.xxx.xxx.xxx,193.0.14.129,12334,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,19556,0,none,17,udp,56,86.xxx.xxx.xxx,202.12.27.33,44069,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,44168,0,none,17,udp,56,86.xxx.xxx.xxx,198.97.190.53,12716,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,18274,0,none,17,udp,56,86.xxx.xxx.xxx,192.112.36.4,22425,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,59213,0,none,17,udp,56,86.xxx.xxx.xxx,199.7.91.13,23943,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,10593,0,none,17,udp,56,86.xxx.xxx.xxx,192.5.5.241,35433,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,47536,0,none,17,udp,56,86.xxx.xxx.xxx,192.36.148.17,41128,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,57153,0,none,17,udp,56,86.xxx.xxx.xxx,192.5.5.241,33828,53,36 Apr 29 21:50:13 Home filterlog[20504]: 17,,,1000000110,pppoe0,match,block,out,4,0x0,,64,50775,0,none,17,udp,56,86.xxx.xxx.xxx,192.36.148.17,8441,53,36 86.xxx.xxx.xxx -
@bassit said in Any ideas? dns gone rouge.:
I have dns setup to use quad 9 and use remote servers only.
So you blocked clients on your network from using their own dns, many devices have hard coded dns.. And will attempt to use their own dns.
You could either block that access, and only allow 53 to pfsense IP, or you could redirect dns to pfsense dns, that you have setup to forward to quad9
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html#redirecting-client-dns-requests
So I take it your using some IPS in pfsense - that sort of log is not something out of the box pfsense would care about or warn on.
edit: btw that 178 address I show as comododns
;; ANSWER SECTION: 125.82.255.178.in-addr.arpa. 86400 IN PTR ns0.comododns.com.Seems odd that a client would have that hard coded? You sure you didn't point a client to that specifically on your network? Or have that setup in pfsense other than quad9?
-
@johnpoz
Thank you for your reply.
I wanted to make sure that the dns i set was the dns that was used, hence the remote only.
Yes i have snort and surratica both setup on the wan, more for information gathering than anything.
I have comodo setup on my computer but it shouldn't be using its own dns, on install its asks if you want to use their dns servers, i didn't tick the option so it shouldn't be using it.EDIT: No not setup for comodo dns anywhere.
-
@bassit said in Any ideas? dns gone rouge.:
I have comodo setup on my computer but it shouldn't be using its own dns
Well that doesn't seem to be the case.. Running isp on the wan is not very helpful in the sense you can not see the internal IP doing the requesting.
As to why you would be running both snort and suricata doesn't seem like a good idea at all.. If you try and run suricata in legacy mode pretty sure there would be conflict - you might be able to get by with using inline mode? Either way I would not suggest running both of them at the same time..
You could prob look in your state table and see what local IP is trying to make the connection..
edit: BTW that other 199 IP is also comodo
;; QUESTION SECTION: ;4.200.66.199.in-addr.arpa. IN PTR ;; ANSWER SECTION: 4.200.66.199.in-addr.arpa. 86400 IN PTR ns0.comododns.net.Other IPs are the root servers
;; ANSWER SECTION: 53.190.97.198.in-addr.arpa. 3600 IN PTR h.root-servers.net.Unbound out of the box would ask root.. Since out of the box is resolver not forwarder.. So that is to be expected if you didn't actually setup unbound to forward..
keep in mind when resolving - unbound would talk to many name servers, it would walk down from root to find the authoritative name server for a specific domain. And then talk to them directly... So if your resolving and not forwarding - then maybe those comodo IPs are also the authoritative ns for that domain..
so maybe you just do not have forwarding setup like you think you do.
yeah... the NS listed for comodo are those ns0 .com and .net
;; QUESTION SECTION: ;comodo.com. IN NS ;; ANSWER SECTION: comodo.com. 3600 IN NS ns0.comododns.net. comodo.com. 3600 IN NS ns0.comododns.com. comodo.com. 3600 IN NS ns1.comododns.net. comodo.com. 3600 IN NS ns1.comododns.com.So just don't have forwarding setup like you think you did. If you are fowarding to quad9, unbound would not talk to roots or gltd server or authoritative NSers
-
I am aware that the ips should be run on the lan but every time i try it blocks my connection with an error (same when i try inline) and i have no idea why so i stayed with what worked, both in legacy mode btw, they both seem to block different things at times.
Thank you for the explanation, that would explain the ip's i have in the logs, i had a look after you mentioned the comodo ip's and most of them are nameservers of some kind.
-
@bassit said in Any ideas? dns gone rouge.:
i had a look after you mentioned the comodo ip's and most of them are nameservers of some kind.
Then your not forwarding like your think your forwarding.. Out of the box unbound will resolve, and then needs to talk to roots, and the gltd servers for whatever tld, and then the authoritative NS for whatever domain or cname some fqdn ends up resolving via..
If your goal is to forward, and not resolve - then your not setup correctly..
-
No i was not forwarding like i assumed, i am about 3 weeks in with pfsense and have a lot to learn.
In general setup i had entered the dns servers i wanted to use, set to use remote servers only, ignore local dns and unticked allow dns to be overridden.
I hadn't changed anything in resolver or forwarder.The confusing part is this setup has worked with no issues for around 3 weeks, until yesterday.
-
This post is deleted! -
@bassit said in Any ideas? dns gone rouge.:
I hadn't changed anything in resolver or forwarder.
Well pfsense was just resolving - that is how it is out of the box. I resolve for like 10 some years now, never an issue.
What stopped working is your blocking it via your IPS is most likely..
Or you had an issue resolving "something" and noticed the log entries and went down a rabbit hole that has nothing to do with anything ;) If your just in IDS mode and monitoring and not blocking.
DNS (resolving) can fail when you can not talk to a ns in the path to getting to the authoritative NS for the domain your wanting to lookup.. Or can not talk to the authoritative ns for some reason, or dnssec fails, etc. and you have that enabled (its enabled out of the box).. But if yoru going to forward you should uncheck that.
When something fails to resolve, and your resolving - you need to figure out why.. dig +trace is good start to see what your having an issue talking too.. If your forwarding, and something fails - your at the mercy of why you didn't get an answer to where you forwarded too.
