DNS Binding Attack

Description

Host to Host DNS conversations dropped on SONICWALL drop code: Packet dropped - DNS Rebind attack

After enabling 'How to prevent a DNS Rebinding Attack on a SonicWall' packets get dropped are seen in packet monitor and log events are seen.

Resolution

Export Packet Capture in .pcap and .HTML format, filtering UDP on port 53 

How to Setup and Utilize the Packet Monitor Feature for Troubleshooting

 

Open HTML file and confirm that packet drop:

Image

 

If DNS server responds with an IP address in 127.0.0.0 /8 range [reserved IP for loopback] your job is done since you have found the explanation why SonicWall is dropping that packet.

 

More reading: IP Addresses that should never appear in the public DNS

 

In this specific case URL that is causing this behavior looks MacAfee software that is available into the Wireshark capture in Queries:

 

a-0.19-a7000071.d020082.170c.21a0.2f4a.210.0.ewvtghvsufwz3w8bs41ir4aaqi.avts.mcafee.com

 

Useful tool is available following this link where you can use different public DNS to resolve an URL: NSLOOKUP: look up and find IP addresses in the DNS 

 

 

Related Articles

  • How to create a dedicated user with the least privileges for the SSO agent
    Read More
  • How can I configure BGP (Border Gateway Protocol) with single ISP and advertise your public network?
    Read More
  • Expanded license for A/A Clustering and BGP
    Read More

Categories

Firewalls
SonicWall NSA Series
Networking
Firewalls
SonicWall SuperMassive 9000 Series
Networking
Firewalls
TZ Series
Networking
not finding your answers?
Ask the Community