Jump to content

DNS requests to ESET servers blocked by PaloAlto


droezel
 Share

Recommended Posts

Since the last days our Palo Alto firewalls are detecting DNS traffic from ESET nameservers as "DNS Tunnel Data Infiltration Traffic". Traffic DNS udp over port 53... 

1408796526_2018-10-0810_54_52-Clipboard.thumb.png.aba264ef656adbd9626bd8a9a164525f.png

More info on this threat type: https://threatvault.paloaltonetworks.com/?query=18003

Does anyone have an idea about what's going on? And what will be broken now because probably some DNS queries aren't resolving... 

Link to comment
Share on other sites

  • Most Valued Members

You should report that to Palo Alto so they can check why they are blocking ESET update servers.

Edited by Rami
Spelling correction
Link to comment
Share on other sites

  • Administrators

As suggested, contact Palo Alto Networks to resolve the false positive. Since it is their products that trigger the FP, we cannot influence the detection.

Link to comment
Share on other sites

PaloAlto is blocking this because you are using DNS to pass info through the network. I don't see any reason why ESET would use this covert channel to distribute or receive info to/from clients.  We will keep this type of traffic blocked on our network until there is a clear explanation what kind of info is exchanged via DNS and why it is done this way.

If we have clients on our network that have ESET installed and whose installation will not work anymore, we will send them to ESET support.

Wim Holemans

Network/Security Teamleader

University of Antwerp

Link to comment
Share on other sites

  • Administrators

DNS requests are used by Parental / Web Control and for license-related purposes. This is a perfectly legitimate use of DNS that is employed by plenty of vendors of legitimate software. If the "spyware" detection is not removed soon, we'll raise an official complaint.

Link to comment
Share on other sites

2 hours ago, wim said:

PaloAlto is blocking this because you are using DNS to pass info through the network. I don't see any reason why ESET would use this covert channel to distribute or receive info to/from clients.  We will keep this type of traffic blocked on our network until there is a clear explanation what kind of info is exchanged via DNS and why it is done this way.

If we have clients on our network that have ESET installed and whose installation will not work anymore, we will send them to ESET support.

Wim Holemans

Network/Security Teamleader

University of Antwerp

Is this documented?

Link to comment
Share on other sites

I find it a bit "sanctimonious " that PaloAlto  is complaining about this since they do likewise: https://www.paloaltonetworks.com/documentation/81/pan-os/web-interface-help/network/network-dns-proxy/dns-proxy-overview

Perhaps Eset's DNS like activities is getting in the way of there's?

Link to comment
Share on other sites

  • ESET Staff

Just to update concerning the DNS usage:

ESET services that are using DNS:

  • Parental / WebControl, for the URL reputation
  • Anti-theft (consumer only) concerning the config change status / updates
  • EDF (licensing) concerning the config change status / updates
  • Antispam (backup communication) for hashes / status
  • AV Cloud (ESET Live Grid) - partial communication.

It´s described within the following KB article:

https://support.eset.com/kb332/?locale=en_US&viewlocale=en_US

 

Link to comment
Share on other sites

30 minutes ago, MichalJ said:

Just to update concerning the DNS usage:

ESET services that are using DNS:

  • Parental / WebControl, for the URL reputation
  • Anti-theft (consumer only) concerning the config change status / updates
  • EDF (licensing) concerning the config change status / updates
  • Antispam (backup communication) for hashes / status
  • AV Cloud (ESET Live Grid) - partial communication.

It´s described within the following KB article:

https://support.eset.com/kb332/?locale=en_US&viewlocale=en_US

Correct me if I'm wrong, but I don't see in KB article, statement that you use DNS for information exchange, only for DNS queries.

For example, for ESET Live Grid you only say "These IP addresses need to be enabled for HTTP port 80. Also, an access to your local DNS server is required for DNS queries on UDP port 53."
If port 53 or DNS protocol is used for something other than name resolution, that should be noted in that text.

I don't see problem in information exchange as long it's transparent and highlighted clearly in documentation. That way we could avoid problems with 3rd party products.

 

Link to comment
Share on other sites

FYI - it is no great secret that AV vendors have used DNS tunneling for quite some time:

Quote

Elsewhere, the need for nearly continuous communication with their customers has seen some anti-virus (AV) vendors set up file hash identification routines via DNS.

https://www.helpnetsecurity.com/2016/09/19/dns-data-transport/

Quote

DNS tunneling is commonly used to circumvent security. This can be done for benign reasons like anti-virus updates done by endpoint software

https://help.zscaler.com/zia/about-dns-tunnel-detection

It appears to me that the network perimeter security appliance's manufacturers are trying to demonstrate their "new and improved" detection methods at the expense of the AV vendors to counter criticism of their past ineffectiveness against malicious DNS tunnel attacks.

-EDIT- Also if one wants to look for nefarious tunneling activities, start looking closely at the manufacturer of the OS you are using, Microsoft.  

Edited by itman
Link to comment
Share on other sites

6 hours ago, itman said:

FYI - it is no great secret that AV vendors have used DNS tunneling for quite some time:

https://www.helpnetsecurity.com/2016/09/19/dns-data-transport/

https://help.zscaler.com/zia/about-dns-tunnel-detection

It appears to me that the network perimeter security appliance's manufacturers are trying to demonstrate their "new and improved" detection methods at the expense of the AV vendors to counter criticism of their past ineffectiveness against malicious DNS tunnel attacks.

-EDIT- Also if one wants to look for nefarious tunneling activities, start looking closely at the manufacturer of the OS you are using, Microsoft.  

Times change, as did ESET Endpoint change over time. For example, v5 did not have anti ransomware module, v6 (guessing) and v7 does.

As for Microsoft remark, I would welcome any solution from security vendors, like ESET, that would warn about this activity from Microsoft or any other software vendor and possibly block it on user demand.

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...