Snort DNS Spoof messages (confused)

cr_hyland

We are getting a ridiculous mount of the following message in our Snort logs lately and I can't tell if they are legit warnings or just Snort over-paranoia.

[**] [1:254:10] DNS SPOOF query response with DNS SPOOF query response with TTL of 1 min. and no authority Potentially Bad Traffic 8.8.8.8 53

We see thousands of these a day, i'm concerned that if we disable the rule associated with these alerts we will leave ourselves vulberable to genuine attack by other IPs.
I know that the 8.8.8.8 IP is a google DNS server so maybe these messages are benign but why would Googles DNS servers be trying to contact all my IPs one after the other all day long?

Cheers.

Fesoj

Maybe this somewhat older article helps:

http://taosecurity.blogspot.com/2003/12/understanding-snort-dns-ttl-alerts.html

Using Wireshark is too much work for me, but a concise dig command also helps:

[007@wopr ~]$ dig +nocmd -x 8.8.8.8 +noall +answer
8.8.8.8.in-addr.arpa.  44632  IN      PTR    google-public-dns-a.google.com.

Your dns server is unlikely the authorative one for this address, so you'll see only the remainig time to live (the number in red), which is still a bit larger than 60s. You should probably check your DNS setup, but Google doesn't seem to work with very short TTL values. As the article indicates, sid 254 is not really that useful, as real man-in-the-middle attackers would probably use lower values to attack you, or at least not exactly 60s…