Overview
The intrusion prevention system in your environment reports that different DNS queries are trying to resolve some hostnames/URLs. It reports this traffic as MALWARE-CNC DNS suspicious .bit dns query
and that it's originating from Kerio Control.
Information
- These DNS queries could be for the URLs that you would have added previously in one or more Kerio Control IP address groups.
- To convert these URLs to IP addresses, Kerio Control will frequently send the DNS requests to have those URLs resolved to IP addresses and so applied to a traffic rule. To add to this, it is advisable to use the Kerio Control DNS server and enable the DNS cache.
In case these hostnames are still unknown, then, in order to troubleshoot this issue, the Kerio Control support team will need all the below information:
- For the unknown (and thus blacklisted) URLs that are being accessed and shown by your intrusion prevention system, a traffic rule can be created for these URLs, and then packet logging can be enabled for the same.
- Enable the Connection tracking option in Logging Messages in your Debug logs. This option generates a debug log entry for any connection attempt made. So, it will definitely register any attempt to send traffic to those blacklisted hostnames/URLs.
- Enable all the DNS options in Logging Messages in your Debug logs. If any client sends a DNS query for the blacklisted hostname/s, then this should reflect in these logs with the client IP address (and not the Kerio control server IP address).
- When the issue reoccurs, save the debug logs and the security logs.
- A screenshot of your Kerio DNS settings page and it's custom forwarding settings.
- Save the Support information file. This can be done in the Kerio Control Administration interface by going to Status > System Health > Support Information.
- Open a support request with all the above information attached to it.
- Disable the previously enabled logging to avoid filling up the disk space.