search

NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
3.03k stars 348 forks source link

Excessive unexpected outbound DNS requests from PFsense running unbound on AWS #249

Open johnmmason opened 4 years ago

johnmmason commented 4 years ago

I have recently installed PFsense on an AWS VPC as a firewall/NAT device/DNS Forwarder. I am running PFblocker and Suricata for GeoIP blocking and IDS. All devices on the LAN subnet are set to use unbound running on PFsense for their DNS server. PFsense is configured to use 1.1.1.1 for its DNS server.

Within less than a day, Suricata began to flag an enormous amount of traffic on port 53 (DNS) and port 123 (NTP) to some legitimate and mostly questionable (dfw0.clover.mattnordhoff.net) domains. The logs show over 40 requests every second which were not present at the original install.

Screen Shot 2020-06-12 at 2 26 38 PM

I have changed the unbound settings to log individual DNS queries and it appears that they are coming from PFsense itself (127.0.0.1) although I do not see nearly as many queries in the unbound logs as I do in Suricata.

Screen Shot 2020-06-12 at 2 28 38 PM Restarting PFsense causes the alerts to stop temporarily.

Has anyone experienced similar behavior on their systems or has some idea what is causing this? I am not sure whether unbound is originating these requests and that they are nothing to worry about, or whether they may indicate a breach in my network.

Thank you for your help!

wcawijngaards commented 4 years ago

Hi johnmmason, Unbound performs these requests for a local client that asks for it, the request do not originate from inside unbound. You can see it in its logs, 127.0.0.1 is asking the question.

The invalid checksum is likely because the network card has off-loaded checksums, and the checksum is not available to the packet filter that captured the traffic.

The requests, the unbound log you show are from reverse lookups. This is where something wants to know the domain name associated with an IP address. It could be something like a spamfilter that is running locally, and is looking up the IP addresses of spam email or of links in spam email. That would also explain the questionable domains.

I do not know why you see more queries, maybe the traffic is dropped by another filter and unbound is performing retries? Or the domains have been taken down and unbound has timeouts. Unbound can log why it performs network activity, with like verbosity 2 or verbosity 4 that would show an indication why packets are sent, maybe something to do if there is remaining activity you want to investigate for.

Best regards, Wouter