Snort DNS Spoof messages (confused)
cr_hyland last edited by
We are getting a ridiculous mount of the following message in our Snort logs lately and I can't tell if they are legit warnings or just Snort over-paranoia.
[**] [1:254:10] DNS SPOOF query response with DNS SPOOF query response with TTL of 1 min. and no authority Potentially Bad Traffic 184.108.40.206 53
We see thousands of these a day, i'm concerned that if we disable the rule associated with these alerts we will leave ourselves vulberable to genuine attack by other IPs.
I know that the 220.127.116.11 IP is a google DNS server so maybe these messages are benign but why would Googles DNS servers be trying to contact all my IPs one after the other all day long?
Fesoj last edited by
Maybe this somewhat older article helps:
Using Wireshark is too much work for me, but a concise dig command also helps:
[007@wopr ~]$ dig +nocmd -x 18.104.22.168 +noall +answer
22.214.171.124.in-addr.arpa. 44632 IN PTR google-public-dns-a.google.com.
Your dns server is unlikely the authorative one for this address, so you'll see only the remainig time to live (the number in red), which is still a bit larger than 60s. You should probably check your DNS setup, but Google doesn't seem to work with very short TTL values. As the article indicates, sid 254 is not really that useful, as real man-in-the-middle attackers would probably use lower values to attack you, or at least not exactly 60s…