DNS Binding Attack
03/26/2020 26 11303
Host to Host DNS conversations dropped on SONICWALL drop code: Packet dropped - DNS Rebind attack
After enabling 'How to prevent a DNS Rebinding Attack on a SonicWall' packets get dropped are seen in packet monitor and log events are seen.
Export Packet Capture in .pcap and .HTML format, filtering UDP on port 53
How to Setup and Utilize the Packet Monitor Feature for Troubleshooting
Open HTML file and confirm that packet drop:
Open Pcap file with wireshark and review the same packets seen into HTML file:
If DNS server responds with an IP address in 127.0.0.0 /8 range [reserved IP for loopback] your job is done since you have found the explanation why SonicWall is dropping that packet.
More reading: IP Addresses that should never appear in the public DNS
In this specific case URL that is causing this behavior looks MacAfee software that is available into the Wireshark capture in Queries:
Useful tool is available following this link where you can use different public DNS to resolve an URL: NSLOOKUP: look up and find IP addresses in the DNS