Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort DNS Spoof messages (confused)

    Scheduled Pinned Locked Moved pfSense Packages
    2 Posts 2 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cr_hyland
      last edited by

      We are getting a ridiculous mount of the following message in our Snort logs lately and I can't tell if they are legit warnings or just Snort over-paranoia.

      [**] [1:254:10] DNS SPOOF query response with DNS SPOOF query response with TTL of 1 min. and no authority Potentially Bad Traffic 8.8.8.8 53

      We see thousands of these a day, i'm concerned that if we disable the rule associated with these alerts we will leave ourselves vulberable to genuine attack by other IPs.
      I know that the 8.8.8.8 IP is a google DNS server so maybe these messages are benign but why would Googles DNS servers be trying to contact all my IPs one after the other all day long?

      Cheers.

      1 Reply Last reply Reply Quote 0
      • F
        Fesoj
        last edited by

        Maybe this somewhat older article helps:

        http://taosecurity.blogspot.com/2003/12/understanding-snort-dns-ttl-alerts.html

        Using Wireshark is too much work for me, but a concise dig command also helps:

        [007@wopr ~]$ dig +nocmd -x 8.8.8.8 +noall +answer
        8.8.8.8.in-addr.arpa.  44632  IN      PTR    google-public-dns-a.google.com.

        Your dns server is unlikely the authorative one for this address, so you'll see only the remainig time to live (the number in red), which is still a bit larger than 60s. You should probably check your DNS setup, but Google doesn't seem to work with very short TTL values. As the article indicates, sid 254 is not really that useful, as real man-in-the-middle attackers would probably use lower values to attack you, or at least not exactly 60s…

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.