1 Reply Latest reply on Jan 17, 2017 8:57 AM by asabban

    DNS Behavior on MWG using IPS

    matthew.stokes

      We recently installed an IPS system internally and I had a question about the way MWG does DNS queries. From looking at packet captures it appears that MWG uses UDP and always uses the same source port for all DNS queries. Is this the default behavior and is it possible to force it to randomize the source ports for DNS queries so that it will use a different source port for each request? The problem is that once the IPS sees a query for a name that fires an intrusion event it effectively shuts down all return traffic to the MWG over that source port. Since it's UDP the MWG doesn't know that its been shutdown and keeps sending DNS requests over the same port which never get answered.