Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1177
Views
0
Helpful
1
Replies

BotNet Filter and OpenDNS

Benjamin Story
Level 5
Level 5

‎03-10-2010 05:37 AM - edited ‎03-11-2019 10:19 AM

We are running a trial of the ASA 8.2 BotNet Filter on our production ASA.  In the alerts we keep getting notices of a Very High alert for 208.69.36.132.  When we look it up we end up seeing that it resolves as hit-nxdomain.opendns.com.  Our hunch is that this is traffic that would have been malicious, but that since we use OpenDNS to do some filtering it's returning its own address.

Anyone else ran into this?

Thanks,

Ben

Labels:
0 Helpful
1 Reply 1

Panos Kampanakis
Cisco Employee
Cisco Employee

‎03-10-2010 01:46 PM

Yes.

If you are using opendns and you have your bots dns-ing out to it for some bad sites that opendns doesn't know it will send back its own ip (and then show you its "block/don't know" page). When the ASA sees that ip it flags it for the url that the dns went out for and thus open dns will be flagged as malicious. There is not much hope if you use open dns because whenever a bot accesses a site that open dns doesn't know it will be flagged and blocked which will then block your open dns.

I hope it helps.

PK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card