Hot!Compromised Hosts / DNS Servers

Author
Stuart Kendrick
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/11/19 05:27:19
  • Location: Seattle, WA USA
  • Status: offline
2020/03/18 05:19:14 (permalink)
0

Compromised Hosts / DNS Servers

BRIEF
I'm poking around Compromised Hosts ... thus far, only my DNS servers are showing up
* Drilling in, I see uniformly that the Detect Method is 'infected-domain'
* What do other people do?  Do you just live with all your DNS servers topping the Compromised Hosts display?
 
DETAIL
Seems to me that this is hard problem.  Yes, it is possible that malware living on the DNS servers is emitting DNS look-ups for malicious sites ... but ... more likely, the DNS servers are just forwarding requests from infected clients.  And, from a narrow Fortigate / Fortianalyzer point of view, there isn't sufficient information to track down these clients.  So ... I would expect to see all my DNS servers on the Compromised Hosts list 7x24 ... and this isn't actionable information
 
Since I'm not going to do anything about these entries, I would like to remove them from the list.  Is there a white-list feature?  I haven't found it
 
--sk
#1

2 Replies Related Threads

    Dave Hall
    Expert Member
    • Total Posts : 1724
    • Scores: 178
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: Compromised Hosts / DNS Servers 2020/03/18 08:57:58 (permalink)
    0
    If these compromised machines are behind a fortigate router and the dns server is in the same subnet, there is no way for the fgt to control internal network traffic - AFAIK the fgt can only control (ie restrict) traffic if it crosses over an interface.  So if the DNS server was located on a different subnet (and different interface) you can easily montior DNS request going over that interface (to the DNS server). 
     
    That said, you may have better odds at resolving DNS issues from the DNS server side. (e.g. traffic monitoring/logging, root hints info from client stations) - though I suggest limiting the use of DNS logging as it tends to bog down the server.  Also the use of WireShark.
     
    Things you could do (in general) off the top of my head:
    - limit DNS traffic going out to the Internet to approval DNS servers (e.g. Google DNS) - block all other DNS servers
    - If using an internal DNS server - only allow that server's IPs to make outside DNS requests.
    - Make use of a app sensors/IPS targeting DNS traffic (like proxying web traffic through port 53)
    - Remove (sourced client workstation)l root hints

    NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
    #2
    Eric Schmidt
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/05/03 11:33:09
    • Status: offline
    Re: Compromised Hosts / DNS Servers 2021/05/03 11:34:45 (permalink)
    0
    Did you ever find a solution?  With AD integration the DNS always get's pegged as the compromised host.  At first I had the FortiGate disable the port of the compromised host, which in effect shutdown the whole network so now I just have it email alert me.
     
    I've started enabling the FortiGate as the DNS server for my VLANs and using Zone Transfer from the AD/DNS to the FortiGate.   That way the FortiGate is used for the DNS lookup and only sends request to the AD/DNS when it's outside of the A and CNAME records.  Mostly works, infrequently I have a client that has issues authenticating.  Haven't narrowed down why yet.
    #3
    Jump to:
    © 2021 APG vNext Commercial Version 5.5