1
Zenarmor (Sensei) / Malformed Dns Packet
« on: December 29, 2023, 01:42:16 pm »
I'm really liking the 1.16 update thus far.
One observation from my network is that a significant chunk of what I believe to be mDNS traffic (port 5353) from mostly Apple devices is being flagged as a threat - Malformed Dns Packet. The good thing is that even with the Malformed Dns Packet advanced security policy enabled, it isn't blocked. But it is throwing the threat numbers to be up significantly, so there are more false positives to filter through.
There does seem to be a pattern. I'm running a mDNS repeater on the OPNsense so that wireless devices can see the wired printer for AirPrint. So, a majority of the wireless devices aren't flagged as Malformed Dns Packet but properly as mDNS as they are connecting with mdns.mcast.net (224.0.0.251) on my network. Occasionally, an Apple TV over wireless is flagged as malformed when it sends port 5353 packets to the gateway on OPNsense. However, what triggers the threat most are the wired devices such as my Macbook (when wired in), my Synology (wired), or my Denon receiver (wired), as they are sending frequent port 5353 packets to the gateway on OPNsense. Conversely, the wired printer, doesn't do this but mostly sends to mdns.mcast.net (224.0.0.251).
Not a big deal, but I'm wondering if there's anyway for this type of mDNS traffic to not be labelled as "Malformed Dns Packets"? I would think all that's needed is to filter out the port 5353 traffic. I'm not aware of that being used for normal DNS.
One observation from my network is that a significant chunk of what I believe to be mDNS traffic (port 5353) from mostly Apple devices is being flagged as a threat - Malformed Dns Packet. The good thing is that even with the Malformed Dns Packet advanced security policy enabled, it isn't blocked. But it is throwing the threat numbers to be up significantly, so there are more false positives to filter through.
There does seem to be a pattern. I'm running a mDNS repeater on the OPNsense so that wireless devices can see the wired printer for AirPrint. So, a majority of the wireless devices aren't flagged as Malformed Dns Packet but properly as mDNS as they are connecting with mdns.mcast.net (224.0.0.251) on my network. Occasionally, an Apple TV over wireless is flagged as malformed when it sends port 5353 packets to the gateway on OPNsense. However, what triggers the threat most are the wired devices such as my Macbook (when wired in), my Synology (wired), or my Denon receiver (wired), as they are sending frequent port 5353 packets to the gateway on OPNsense. Conversely, the wired printer, doesn't do this but mostly sends to mdns.mcast.net (224.0.0.251).
Not a big deal, but I'm wondering if there's anyway for this type of mDNS traffic to not be labelled as "Malformed Dns Packets"? I would think all that's needed is to filter out the port 5353 traffic. I'm not aware of that being used for normal DNS.