Lot of entries, what now?

Hello,

I have a lot of entries like the once you can see in the attached picture. What do I do now with the information provided by IPS? What is causing this resp. how do I haunt it down?

My setup:

Internet-Modem/Router: 192.168.2.1
IPFire: 192.168.2.102 resp. as a DHCP server with 192.168.1.1
Pi-hole as a DNS server (entered in IPFire’s DHCP settings, too): 192.168.1.45
Pi-hole has 2 fixed DNS server entries pointing to the service provider’s IP addresses.

Hi,

well, those are “only” informational IPS hits. .biz domains tend to be suspicious, but your mileage might vary.

You could try tracing down those queries by searching IPFire’s DHCP server logs for active clients within that time range, and asking the users of those device(s) if they queried any .biz domain.

If those rules create too much noise, you might want to disable them. The informational category needs to be selected careful in general, as it needs to be heavily customised to your environment in order not to cause too many false positives.

Thanks, and best regards,
Peter Müller

1 Like

Thank you very much for your response!

Btw, I disabled all clients and I still got entries. I believe this is IPFire itself. If you remove all entries in the “Domain Name System” section, IPFire panics and tries to constantly contact root dns servers. If you enter your DNS IPs from your ISP, it connects to them although no client is requesting anything. You can also check this behavior in Status>Connections.

Not sure that this behavior of IPFire is correct…maybe it’s just my system?

Hi,

Btw, I disabled all clients and I still got entries. I believe this is IPFire itself.

this may be due to DNS prefecting in order to reduce query delays after cached records have expired. In order to determine the exact query, you can enable logging DNS queries within the unbound configuration. Make sure you disable it afterwards, as it is a huge information leak if those DNS logs fall into wrong hands.

If you remove all entries in the “Domain Name System” section, IPFire panics and tries to constantly contact root dns servers.

This works as designed. If none of the configured DNS servers can be used, IPFire falls back into the so-called “recursor mode”. Anyway, it won’t solve your problem - and since the IPS rule triggers for generic DNS queries to .biz, I am not sure if there is even a problem.

I strongly recommend to read the IPS documentation in general and the IPS rule selection documentation in particular, and review your current IPS rule selection afterwards.

As they say, a false sense of security is worse than no security at all. In my humble opinion, this applies to IPS rule selection as well - if it does not match your needs, it might create more problems than it aims to solve.

Thanks, and best regards,
Peter Müller

Hi,

Thank you very much for your elaborations. I am using IPFire primarily to control what the clients are doing and not so much to have an absolute safe environment. For this I don’t have the expertise. One mistake and you are screwed. If I keep the biggest security holes closed in the process I am already happy. Sensitive data is either not in the network or at least blocked from accessing the internet (eg. NAS).

Thus, I would like to understand where strange request are coming from to understand whether I have to do something about it or not. As I am using a pihole to do the DNS part, is there a way to disable any DNS activity by IPFire (except of allow pihole to route requests to the modem)?

Hi,

As I am using a pihole to do the DNS part, is there a way to disable any DNS activity by IPFire (except of allow pihole to route requests to the modem)?

not that I am aware of, since your IPFire machine needs to make some DNS requests as well, e. g. for time synchronisations or fetching the current KSK according to RFC 5011.

Thanks, and best regards,
Peter Müller