Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ninja_03092
New Contributor

Created on ‎09-10-2024 07:52 AM

IPS logs DNS.PTR.Records.Scan Question

Hello 

 

I am getting a large number of entries related to the DNS.PTR.Records.Scan signature. The origin is one of my servers making requests to 8.8.8.8 or 1.1.1.1

 

What actions do you recommend?

 

eventtime=1725978564223549647 tz="-0400" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="low" srcip=19.19.12.101 srccountry="Reserved" dstip=8.8.8.8 dstcountry="United States" srcintf="z2" srcintfrole="wan" dstintf="Internet" dstintfrole="wan" sessionid=88096527 action="dropped" proto=17 service="DNS" policyid=229 poluuid="79818ba8-59a9-51ef-f294-51bc44ab72d9" policytype="policy" attack="DNS.PTR.Records.Scan" srcport=59436 dstport=53 direction="outgoing" attackid=51391 profile="high_security" ref="http://www.fortinet.com/ids/VID51391" incidentserialno=45804839 msg="name_server: DNS.PTR.Records.Scan" crscore=5 craction=32768 crlevel="low"

Labels:
1971
0 Kudos
3 REPLIES 3
Anthony_E
Community Manager
Community Manager

Created on ‎09-12-2024 09:21 PM

Hello Ninja,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
1927
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎09-13-2024 12:46 AM

Hello Ninja

According to Fortinet on http://www.fortinet.com/ids/VID51391 the IPS action for this signature is "pass" by default.

As this is a false positive, go to the IPS profile you are using, search for the signature DNS.PTR.Records.Scan signature, and set action to "Allow".

AEK
AEK
1907
sw2090
SuperUser
SuperUser

Created on ‎09-13-2024 04:34 AM

Just for info: a DNS PTR Record is nothing evil ;) PTR records are used for reverse DNS which means you ask the DNS for a FQDN to an ip.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
1890
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.