Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
261
Views
0
Helpful
1
Replies

Firepower 3110 sending DNS PTR queries from IP not configured on inter

ciscolicense
Level 1
Level 1

‎10-03-2023 04:17 PM

I have a Cisco Firepower 3110 FTD and discovered some strange traffic while troubleshooting another problem. The Firepower is making DNS PTR queries to Umbrella/OpenDNS from IP addresses outside the configured /23 on the outside interface. I have verified that the queries are coming from the Firepower mac address with many source IP addresses, 1610 on the last packet capture spanning about 1 hour. The queries are occurring about once per second and are made in groups of 10-30 IP addresses from the same block, for example 44 queries to 208.69.36.0/24 over 12 seconds . Does anyone have any idea what is causing this?

The interface is configured with 172.xx.xx.xx/23. It is configured to use Umbrella for DNS resolution.

 

 

0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-03-2023 07:26 PM

I'm not following the architecture. If the interface has a 172.x address then it's a private address (assuming it's from 172.16.0.0/12). How does the traffic get to the Internet? Some upstream NAT device?

You should be able to perform a packet capture with trace to identify the traffic more completely. Use the Advanced Troubleshooting section of the Health Monitor for the device in FMC.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card