Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dave
Explorer

IPS: Non Compliant DNS - illegal number of resource records

Getting IPS to drop DNS traffic for some of our machines, but not all.

There is not much info to find related to this, so i'm a bit stuck of where to start searching on what could be going wrong.

The packet capture in the Forensic Details isn't of much help either, as Wireshark will just tell that it's a malformed packet.

What's visible in the Follow TCP stream is this '.....dns.msftncsi.com...........'

Any further explanation or help on how to troubleshoot is appreciated.

0 Kudos
4 Replies
JanVC
Collaborator

I've seen these kind of drops before when DNS is being "abused" for other stuff, like FortiGate doing lookups for malicious IP's/URL's to their threat cloud

I think I also saw it for SfB txt records are something in that genre

0 Kudos
Dave
Explorer

To start off with, how did you troubleshoot this further?

The easy way to get around this would be to make an exception for the core protection on different vlans, but then you would miss the opportunity to detect this again, when actual and real potential misuse is taking place.

How did you resolve this in the end?

0 Kudos
JanVC
Collaborator

for the FortiGate you can configure the lookup to use another port (I think 5555), that way it doesn't trigger the IPS protection anymore

for the skype, it's just something I saw in the logs, nobody mentioned an issue so no further investigation was done

 

I would start by identifying which source device is causing your logs (laptop/desktop/server/other firewall/...)

0 Kudos
Dave
Explorer

Coming back to myself on the forensics details of this IPS event, i now know what's the use of this is.

Host try to resolve this domain as a mechanism to check and let Windows know if they have internet connectivity or not.

The host resolves the domain, which holds a txt file that the resolving host than download. If this is successful, Windows now internet connectivity is fine.

Now the trouble lies in this mechanism, and that's why IPS event is triggered, or at least that's what i think.

Say an attacker inside your network can in some way poisen the DNS name dns.msftcsi.com and forward all traffic to a malicious domain, serving the same kind of textfile or maybe some script that let you download some sort of malware instead of a regular txt file that is been used for the connectivity mechanism Windows uses.

Does this sounds like a plausible story and is this the way why Checkpoint IPS got triggered, because it's intelligence knows about the potential misuse of the Windows internet connectivity mechanism?

 

 

0 Kudos