I am noticing that my firewall keeps sending dns request to 1.1.1.1:53. The domain it keeps sending is config.amcrestcloud.com. This is probably from my cameras originally. But to test out things I disabled all amcrest cameras and the dns keeps going, every few seconds and does not stop.
__timestamp__ May 2 01:38:11
action [pass]
anchorname
datalen 49
dir [out]
dst 1.1.1.1 [one.one.one.one]
dstport 53
ecn
id 51000
interface bge1
ipflags DF
label let out anything from firewall host itself (force gw)
length 69
offset 0
proto 17
protoname udp
reason match
rid b982490a613ebfd2d24f6162e719143b
ridentifier 0
rulenr 83
src MY FIREWALL
srcport 45417
subrulenr
tos 0x0
ttl 63
version 4
Any suggestions? Rebooted a few times. I attached a ntopng screenshot. I can see the DNS request also on here.
Why donĀ“t you try a tcpdump and check if these queries are still being generated by a device in your network?
tcpdump -i eth0 udp port 53 (could be a stricter filter if needed)
Problem solved. Found the device using tcpdump. Corrected the problem and dns requests stopped. Thank you.
Good to know, good job :)