DNS Binding Attack

Description

Host to Host DNS conversations dropped on SONICWALL drop code: Packet dropped - DNS Rebind attack

After enabling 'How to prevent a DNS Rebinding Attack on a SonicWall' packets get dropped are seen in packet monitor and log events are seen.

Resolution

Export Packet Capture in .pcap and .HTML format, filtering UDP on port 53 

How to Setup and Utilize the Packet Monitor Feature for Troubleshooting

 

Open HTML file and confirm that packet drop:

Image

 

If DNS server responds with an IP address in 127.0.0.0 /8 range [reserved IP for loopback] your job is done since you have found the explanation why SonicWall is dropping that packet.

 

More reading: IP Addresses that should never appear in the public DNS

 

In this specific case URL that is causing this behavior looks MacAfee software that is available into the Wireshark capture in Queries:

 

a-0.19-a7000071.d020082.170c.21a0.2f4a.210.0.ewvtghvsufwz3w8bs41ir4aaqi.avts.mcafee.com

 

Useful tool is available following this link where you can use different public DNS to resolve an URL: NSLOOKUP: look up and find IP addresses in the DNS 

 

 

Related Articles

  • SonicOS 8.1.0 FAQ
    Read More
  • SonicWall GEN8 TZs and GEN8 NSas Settings Migration
    Read More
  • Getting started with SonicWall firewalls
    Read More

Categories

Firewalls
SonicWall NSA Series
Networking
Firewalls
SonicWall SuperMassive 9000 Series
Networking
Firewalls
TZ Series
Networking
not finding your answers?
Ask the Community