IDS alerts

[pankaj]

Current configuration:
- OPNSense 21.7.4
- Running Unbound DNS
- Running Intrusion Detection Service

I noticed following alerts in IDS, the IP (192.168.1.35) belongs to a NAS that is configured to use 192.168.1.1 as the DNS.

Code: [Select]

2021-11-08T09:47:41.029781-0800 2027757 blocked 192.168.1.35 50944 192.168.1.1 53 ET DNS Query for .to TLD
2021-11-08T09:47:41.029781-0800 2027757 blocked 192.168.1.35 50944 192.168.1.1 53 ET DNS Query for .to TLD
2021-11-08T09:47:37.591896-0800 2027757 blocked 192.168.1.35 50944 192.168.1.1 53 ET DNS Query for .to TLD
2021-11-08T09:47:37.591896-0800 2027757 blocked 192.168.1.35 50944 192.168.1.1 53 ET DNS Query for .to TLD
2021-11-08T09:47:37.591836-0800 2027757 blocked 192.168.1.35 50944 192.168.1.1 53 ET DNS Query for .to TLD
2021-11-08T09:47:37.591836-0800 2027757 blocked 192.168.1.35 50944 192.168.1.1 53 ET DNS Query for .to TLD
2021-11-08T09:47:37.591558-0800 2027757 blocked 192.168.1.35 52757 192.168.1.1 53 ET DNS Query for .to TLD
2021-11-08T09:47:37.591558-0800 2027757 blocked 192.168.1.35 52757 192.168.1.1 53 ET DNS Query for .to TLD
2021-11-08T09:47:37.591405-0800 2027757 blocked 192.168.1.35 52757 192.168.1.1 53 ET DNS Query for .to TLD
2021-11-08T09:47:37.591405-0800 2027757 blocked 192.168.1.35 52757 192.168.1.1 53 ET DNS Query for .to TLD

Few questions:

1. What do these alerts mean?
2. And why are these getting blocked?
3. If it is harmless does it make sense to suppress these alerts as there may be other alerts that are more important but getting buried under these logs?

Thanks.

[chemlud]

see e.g. here

https://doc.emergingthreats.net/bin/view/Main/2027757

https://en.wikipedia.org/wiki/.to

If you have a look at the alerts in the GUI and press on "Info" you can see the package blocked, containing the .to domain getting resolved by yout NAS.

I see there e.g. easylist.to

[pankaj]

Thanks Chemlud for the links and understand why .to domain is a can of worms!

I did find more info (see attached) and seems like NAS is making this request.

Its a Synology NAS and I do not recall adding anything on it that would require it to reach out to .to domain.

Does this sound like a problem on NAS or am I overthinking this alert?

[chemlud]

If you have a look at the alerts in the GUI and press on "Info" you can see the package blocked, containing the .to domain getting resolved by yout NAS.

Post here!

[Northguy]

Thanks Chemlud for the links and understand why .to domain is a can of worms!

I did find more info (see attached) and seems like NAS is making this request.

Its a Synology NAS and I do not recall adding anything on it that would require it to reach out to .to domain.

Does this sound like a problem on NAS or am I overthinking this alert?

Synology is using http://quickconnect.to for remote access. See their knowledgebase for more info. https://kb.synology.com/nl-nl/DSM/help/DSM/AdminCenter/connection_quickconnect?version=6

[pankaj]

So I had to enable the "log package paylod" in the settings and now for each alert I am also seeing extra information in the payload and found two URLS ending in .to!


And also found this information which seems like a built in feature for convenience and the root cause of these alerts 

"Synology QuickConnect allows you to access your Synology NAS anytime, anywhere, from any device and browser, without having to set up port forwarding and ..."

These alerts seems harmless, is there a way to not make these show up in alerts tab?

[chemlud]

I do not consider it harmless when a LAN device (storing my data) starts trying to phone home and thereby breaks my firewall. Just saying...