Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Stuart_Kendrick
New Contributor

Compromised Hosts / DNS Servers

BRIEF

I'm poking around Compromised Hosts ... thus far, only my DNS servers are showing up

* Drilling in, I see uniformly that the Detect Method is 'infected-domain'

* What do other people do?  Do you just live with all your DNS servers topping the Compromised Hosts display?

 

DETAIL

Seems to me that this is hard problem.  Yes, it is possible that malware living on the DNS servers is emitting DNS look-ups for malicious sites ... but ... more likely, the DNS servers are just forwarding requests from infected clients.  And, from a narrow Fortigate / Fortianalyzer point of view, there isn't sufficient information to track down these clients.  So ... I would expect to see all my DNS servers on the Compromised Hosts list 7x24 ... and this isn't actionable information

 

Since I'm not going to do anything about these entries, I would like to remove them from the list.  Is there a white-list feature?  I haven't found it

 

--sk

3 REPLIES 3
Dave_Hall
Honored Contributor

If these compromised machines are behind a fortigate router and the dns server is in the same subnet, there is no way for the fgt to control internal network traffic - AFAIK the fgt can only control (ie restrict) traffic if it crosses over an interface.  So if the DNS server was located on a different subnet (and different interface) you can easily montior DNS request going over that interface (to the DNS server). 

 

That said, you may have better odds at resolving DNS issues from the DNS server side. (e.g. traffic monitoring/logging, root hints info from client stations) - though I suggest limiting the use of DNS logging as it tends to bog down the server.  Also the use of WireShark.

 

Things you could do (in general) off the top of my head:

- limit DNS traffic going out to the Internet to approval DNS servers (e.g. Google DNS) - block all other DNS servers

- If using an internal DNS server - only allow that server's IPs to make outside DNS requests.

- Make use of a app sensors/IPS targeting DNS traffic (like proxying web traffic through port 53)

- Remove (sourced client workstation)l root hints

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Eric_Schmidt

Did you ever find a solution?  With AD integration the DNS always get's pegged as the compromised host.  At first I had the FortiGate disable the port of the compromised host, which in effect shutdown the whole network so now I just have it email alert me.

 

I've started enabling the FortiGate as the DNS server for my VLANs and using Zone Transfer from the AD/DNS to the FortiGate.   That way the FortiGate is used for the DNS lookup and only sends request to the AD/DNS when it's outside of the A and CNAME records.  Mostly works, infrequently I have a client that has issues authenticating.  Haven't narrowed down why yet.

pccstech

Sorry to dig up an old thread.  I'll guess the FGT flags things as compromised solely base on the DNS lookup. It would be nice to have a new widget added that flags things as attempts are made to make a connection to the websites it sees as a problem and not just the DNS lookup.

Labels
Top Kudoed Authors