cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 10
Report Inappropriate Content
Message 1 of 2

MWG 7.8.1 DNS tunneling detection

Jump to solution

Hi all.

we have two MWG 7.8.1 appliances in Central Management.

about one of them, today we got Splunk alert:

Alert Title: 0001-INV-ENDPOINT: High entropy DNS requests

Trigger: Saved Search [0001-INV-ENDPOINT: High entropy DNS requests]: number of events (1)
Network location Suspicious domain Entropy Source IP address Number of requests
----------------------------------------------------------------------------
dotnxdomain.net 4.499397398459687 [mwg ip] 2
Which can be sign of the DNS Tunneling.
Is it possible to detect and block such activity by regular means of a proxy server?
 
 
1 Solution

Accepted Solutions
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 2

Re: MWG 7.8.1 DNS tunneling detection

Jump to solution

Hello @vvadim ,

this alert can indicate MWG did a lot of DNS queries resolving various subdomains of dotnxdomain.net

dotnxdomain.net is not malicious site.

I think it can be a false positive alert. Can you post your splunk saved search here?

DNS Tunneling is a way to transfer a payload or establish a communication using DNS protocol. MWG is a web proxy and cannot be used "as is" for DNS filtering. You can prevent clients from accessing this site, but this will not prevent DNS Tunneling per se.

 

View solution in original post

1 Reply
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 2

Re: MWG 7.8.1 DNS tunneling detection

Jump to solution

Hello @vvadim ,

this alert can indicate MWG did a lot of DNS queries resolving various subdomains of dotnxdomain.net

dotnxdomain.net is not malicious site.

I think it can be a false positive alert. Can you post your splunk saved search here?

DNS Tunneling is a way to transfer a payload or establish a communication using DNS protocol. MWG is a web proxy and cannot be used "as is" for DNS filtering. You can prevent clients from accessing this site, but this will not prevent DNS Tunneling per se.

 

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community