BotNet Filter and OpenDNS

Benjamin Story — Mon, 11 Mar 2019 17:19:39 GMT

We are running a trial of the ASA 8.2 BotNet Filter on our production ASA. In the alerts we keep getting notices of a Very High alert for 208.69.36.132. When we look it up we end up seeing that it resolves as hit-nxdomain.opendns.com. Our hunch is that this is traffic that would have been malicious, but that since we use OpenDNS to do some filtering it's returning its own address.

Anyone else ran into this?

Thanks,

Ben

Re: BotNet Filter and OpenDNS

Panos Kampanakis — Wed, 10 Mar 2010 21:46:53 GMT

Yes.

If you are using opendns and you have your bots dns-ing out to it for some bad sites that opendns doesn't know it will send back its own ip (and then show you its "block/don't know" page). When the ASA sees that ip it flags it for the url that the dns went out for and thus open dns will be flagged as malicious. There is not much hope if you use open dns because whenever a bot accesses a site that open dns doesn't know it will be flagged and blocked which will then block your open dns.

I hope it helps.

topic BotNet Filter and OpenDNS in Network Security

BotNet Filter and OpenDNS

Re: BotNet Filter and OpenDNS