Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5872
Views
0
Helpful
18
Replies

DNS List and SBRS None, One or the other

Go to solution
kbrown.it
Level 1
Level 1

‎04-27-2018 09:12 AM - edited ‎03-08-2019 07:36 PM

I am trying to setup DNS Lists to do a DNS Blocklist in Ironport. An issue I keep running into is some of the IP's that are on the DNS Blocklist keep coming up with "sbrs[none] SBRS None". It appears that it is one or the other with the SBRS and DNS List (meaning either match the SBRS or the DNS List), so if it doesn't have a SBRS then it will not do the DNS Blocklist check and ends up hitting UNKNOWNLIST (which has a check box checked for None under SBRS). If I check that under the BLACKLIST, or a new one I created without any SBRS numbers listed, it will block all of the SBRS None without even checking it against the Blocklist. Is there a way to force the Ironport to check the DNS List and continue to the next rule if it is on listed even if the site has a SBRS of None?

 

We are running a C100V on Version 10.0.3-004. DNS are internal and looking at Root DNS Servers.

Labels:
0 Helpful
18 Replies 18

Go to solution
kbrown.it
Level 1
Level 1
In response to Mathew Huynh

‎05-08-2018 07:03 AM

Since we switched to Root DNS servers, I saw some of the queries got blocked in our firewall due to a country block rule (a rule our Security Analyst demanded we put it). I moved the DNS rule for the Ironport higher then that so as long as it is going out for DNS it can go anywhere. I did a pcap at that point from the firewall and it looks to be running fine (I didn't see anything that indicated an issue). I also see the Block List being hit even without a SBRS (on my DNSBL rule), which is good. Although I had one that hit 5 times at the same time, then the 6th time (about 5 minutes later) it was blocked by the Block List. I am guessing it just got added to the list at that point.

 

I still see the invalid DNS Responses in System Logs, but I don't see any blocks in our Firewall for DNS. They seem to be repeating DNS Servers, for the most part. Running some test from my computer, it appears the query is being refused or server failed. As far as I know, there isn't much I can really do about that.

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to kbrown.it

‎05-08-2018 03:33 PM

Hey Kbrown.it,



Yes there will be some DNS lookups that either gets a connection refused due to ServFail or an actual ServFail malformed type response as you're seeing there - for the most part though; are the DNSBL matches still seeing the recurring issues of not properly matching or SBRS returning as none despite having an SBRS score at this stage?



Thanks,

Matthew


0 Helpful

Go to solution
kbrown.it
Level 1
Level 1
In response to Mathew Huynh

‎05-10-2018 08:49 AM

It seems like things are working with the DNS List for the most part. I still get some without SBRS and when I do a trace on them they come up with a SBRS (normally one that would hit in the BLACKLIST), but the DNS List seems to be catching it as long as it is on the black list.

 

Our Security Analyst are still complain about emails coming through that end up on the black list. The issue is, we do not know when it got on the black list. Sometime between the user getting spam emails and reporting it, it tends to end up on a black list. I can see this in the logs when it comes in 5 times, but the 6th time is blocked by the list (generally they don't have a SBRS listed in the log, but a trace shows a SBRS). I have also seen Connection Timed Out with some of them as well. Below is an example (although they didn't try again once they were on the block list).

 

Thu May 10 10:17:32 2018 Info: New SMTP ICID 3783968 interface Public (172.xxxx.xxxx.xxx) address 23.254.140.108 reverse dns host inspiration.inspireddemotour.com verified yes
Thu May 10 10:17:32 2018 Info: ICID 3783968 ACCEPT SG None match ALL SBRS None
Thu May 10 10:17:35 2018 Info: New SMTP ICID 3783970 interface Public (172.xxxx.xxxx.xxx) address 23.254.140.108 reverse dns host inspiration.inspireddemotour.com verified yes
Thu May 10 10:17:35 2018 Info: ICID 3783970 ACCEPT SG None match ALL SBRS None
Thu May 10 10:18:37 2018 Info: Connection Error: DCID 2277201 domain: inspireddemotour.com IP: 23.254.140.108 port: 25 details: timeout interface: 172.xxxx.xxxx.xxx reason: connection timed out
Thu May 10 10:18:41 2018 Info: New SMTP ICID 3783984 interface Public (172.xxxx.xxxx.xxx) address 23.254.140.108 reverse dns host inspiration.inspireddemotour.com verified yes
Thu May 10 10:18:41 2018 Info: ICID 3783984 ACCEPT SG None match ALL SBRS None
Thu May 10 10:19:08 2018 Info: New SMTP ICID 3783987 interface Public (172.xxxx.xxxx.xxx) address 23.254.140.108 reverse dns host inspiration.inspireddemotour.com verified yes
Thu May 10 10:19:08 2018 Info: ICID 3783987 ACCEPT SG None match ALL SBRS None
Thu May 10 10:19:09 2018 Info: New SMTP ICID 3783988 interface Public (172.xxxx.xxxx.xxx) address 23.254.140.108 reverse dns host inspiration.inspireddemotour.com verified yes
Thu May 10 10:19:09 2018 Info: ICID 3783988 ACCEPT SG None match ALL SBRS None
Thu May 10 10:20:37 2018 Info: Connection Error: DCID 2277212 domain: inspireddemotour.com IP: 23.254.140.108 port: 25 details: timeout interface: 172.xxxx.xxxx.xxx reason: connection timed out
Thu May 10 10:25:37 2018 Info: Connection Error: DCID 2277239 domain: inspireddemotour.com IP: 23.254.140.108 port: 25 details: timeout interface: 172.xxxx.xxxx.xxx reason: connection timed out
Thu May 10 10:40:39 2018 Info: Connection Error: DCID 2277328 domain: inspireddemotour.com IP: 23.254.140.108 port: 25 details: timeout interface: 172.xxxx.xxxx.xxx reason: connection timed out

Thu May 10 11:25:43 2018 Info: Connection Error: DCID 2277544 domain: inspireddemotour.com IP: 23.254.140.108 port: 25 details: timeout interface: 172.xxxx.xxxx.xxx reason: connection timed out

 

The trace shows it has a SBRS of -7.6, and I did the trace around 11 AM. Again, I don't know when it might have made it onto the black list or if they have had a SBRS of -7.6 for a while and for some reason we are unable to retrieve it. I might have to open a ticket with Cisco to see why we are having issues with SBRS retrieval.

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to kbrown.it

‎05-10-2018 03:49 PM

Hey Kbrown.it,

Yes this seems to be a further underlying issue if SBRS score is not being displayed and is coming up as none despite trace showing that.

The fact that it was -7.3 even before your trace verification ... but engaging Cisco TAC would most definitely be a good step to diagnosing this further with you.



I suspect they'll run a packet capture on the DNS port to monitor/review the results we're seeing.



Regards,

Mathew


0 Helpful
Customers Also Viewed These Support Documents