Hi,
if you enabled Suricata, it “intercepts” any traffic on the interfaces it has been configured to do so. Those are informational IPS hits because something queried a .cloud domain, which might be suspicious depending on your environment.
Please refer to
- Lot of entries, what now? - #2 by pmueller (2nd post within that thread)
- Lot of entries, what now? - #5 by pmueller (5th post within that thread)
for further information on IPS rule selection as the original poster there is dealing with the same kind of IPS rule hits. Ignoring IP addresses should be the ultima ratio, as you cannot do so for certain IPS rules only - and you probably won’t allow your DNS server to bypass other IPS categories as well (C&C traffic via DNS tunnelling, et al.).
Another question: in common sense, we should change blacklist, withelist by blocklist and allowlist
This is a touchy subject, and should be discussed within a dedicated thread, to keep this one focused to the technical issue.
Thanks, and best regards,
Peter Müller