BRIEF
I'm poking around Compromised Hosts ... thus far, only my DNS servers are showing up
* Drilling in, I see uniformly that the Detect Method is 'infected-domain'
* What do other people do? Do you just live with all your DNS servers topping the Compromised Hosts display?
DETAIL
Seems to me that this is hard problem. Yes, it is possible that malware living on the DNS servers is emitting DNS look-ups for malicious sites ... but ... more likely, the DNS servers are just forwarding requests from infected clients. And, from a narrow Fortigate / Fortianalyzer point of view, there isn't sufficient information to track down these clients. So ... I would expect to see all my DNS servers on the Compromised Hosts list 7x24 ... and this isn't actionable information
Since I'm not going to do anything about these entries, I would like to remove them from the list. Is there a white-list feature? I haven't found it
--sk
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If these compromised machines are behind a fortigate router and the dns server is in the same subnet, there is no way for the fgt to control internal network traffic - AFAIK the fgt can only control (ie restrict) traffic if it crosses over an interface. So if the DNS server was located on a different subnet (and different interface) you can easily montior DNS request going over that interface (to the DNS server).
That said, you may have better odds at resolving DNS issues from the DNS server side. (e.g. traffic monitoring/logging, root hints info from client stations) - though I suggest limiting the use of DNS logging as it tends to bog down the server. Also the use of WireShark.
Things you could do (in general) off the top of my head:
- limit DNS traffic going out to the Internet to approval DNS servers (e.g. Google DNS) - block all other DNS servers
- If using an internal DNS server - only allow that server's IPs to make outside DNS requests.
- Make use of a app sensors/IPS targeting DNS traffic (like proxying web traffic through port 53)
- Remove (sourced client workstation)l root hints
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Did you ever find a solution? With AD integration the DNS always get's pegged as the compromised host. At first I had the FortiGate disable the port of the compromised host, which in effect shutdown the whole network so now I just have it email alert me.
I've started enabling the FortiGate as the DNS server for my VLANs and using Zone Transfer from the AD/DNS to the FortiGate. That way the FortiGate is used for the DNS lookup and only sends request to the AD/DNS when it's outside of the A and CNAME records. Mostly works, infrequently I have a client that has issues authenticating. Haven't narrowed down why yet.
Sorry to dig up an old thread. I'll guess the FGT flags things as compromised solely base on the DNS lookup. It would be nice to have a new widget added that flags things as attempts are made to make a connection to the websites it sees as a problem and not just the DNS lookup.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1669 | |
1082 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.