Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dsrivastava
Staff
Staff

Created on ‎07-11-2023 02:27 AM

Article Id 263332

Troubleshooting Tip: 'Domain was blocked by DNS botnet C&C' for a single user

Description

This article describes the steps to troubleshoot when having the log event 'Domain was blocked by DNS botnet C&C' for a single user.

 

date=2023-07-07 time=11:19:48 eventtime=1688708989099213938 tz="+0530" logid="1501054601" type="utm" subtype="dns" eventtype="dns-response" level="warning" vd="root" policyid=1 poluuid="aed62bb4-9314-51ec-00f9-6830d58d92f8" policytype="policy" sessionid=18976445 srcip=192.168.90.23 srcport=64814 srccountry="Reserved" srcintf="lan" srcintfrole="lan" dstip=8.8.4.4 dstport=53 dstcountry="United States" dstintf="port4" dstintfrole="wan" proto=17 profile="Corporate DNS Policy" srcmac="d4:3d:7e:65:e4:d6" xid=24919 qname="survey-smiles.com" qtype="A" qtypeval=1 qclass="IN" ipaddr="208.91.112.55" msg="Domain was blocked by dns botnet C&C" action="redirect" botnetdomain="survey-smiles.com"
Scope FortiGate.
Solution

If observing a domain has been blocked by a DNS botnet, take the following steps to investigate and resolve the issue:

 

  1. To check botnet activity: Go to Dashboard -> Status and see the 'Botnet Activity' widget.
    If the 'Botnet Activity' widget is not found, select the Settings button at the bottom right, select 'Add Widget', and add the 'Botnet Activity' widget.

    Botnet.png
  2. Check DNS-query security logs to confirm if the domain is being blocked due to a DNS botnet C&C detection. Look for relevant entries indicating the blocking of the domain.

    Botnet1.png

  3. If possible, disconnect or isolate the affected system from the network to prevent further communication with the C&C server. This will limit the botnet's influence and reduce potential impact.

  4. Ensure the FortiGate has the latest security definitions and firmware updates installed. Regular updates help in identifying and blocking new threats, including botnet C&C servers.

The UTM licenses are registered in https://support.fortinet.com.
Once registered and applied to FortiGate, the licenses appear as registered in the GUI (Graphical User Interface) of FortiGate. If the licenses are still appearing as not registered, force the license update by executing the CLI command:


execute update-now


     5. If certain that the blocked domain is legitimate and not associated with any malicious activity, add it to         the exception or whitelist list on FortiGate under the web-filtering option.


     6. If suspecting that a device on the network may be infected and participating in the botnet, scan the               devices using reputable anti-malware software to identify and remove any threats.
791
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.