Constant DNS request from firewall

Started by deputycag, May 02, 2020, 07:40:00 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 02, 2020, 07:40:00 AM Last Edit: May 02, 2020, 07:45:37 AM by deputycag
I am noticing that my firewall keeps sending dns request to 1.1.1.1:53.  The domain it keeps sending is config.amcrestcloud.com.  This is probably from my cameras originally.  But to test out things I disabled all amcrest cameras and the dns keeps going,  every few seconds and does not stop. 

__timestamp__   May 2 01:38:11
action    [pass]
anchorname   
datalen   49
dir    [out]
dst    1.1.1.1 [one.one.one.one]
dstport   53
ecn   
id   51000
interface   bge1
ipflags   DF
label   let out anything from firewall host itself (force gw)
length   69
offset   0
proto   17
protoname   udp
reason   match
rid   b982490a613ebfd2d24f6162e719143b
ridentifier   0
rulenr   83
src    MY FIREWALL
srcport   45417
subrulenr   
tos   0x0
ttl   63
version   4

Any suggestions?  Rebooted a few times.  I attached a ntopng screenshot.  I can see the DNS request also on here.


May 02, 2020, 08:54:37 AM #1
Why donĀ“t you try a tcpdump and check if these queries are still being generated by a device in your network?

tcpdump -i eth0 udp port 53  (could be a stricter filter if needed)
May 02, 2020, 03:00:44 PM #2
Problem solved.  Found the device using tcpdump.  Corrected the problem and dns requests stopped.  Thank you. 
May 02, 2020, 04:05:55 PM #3
Good to know, good job  :)
Print
Go Up Pages1
User actions