Uncensorddns Suricata rule created June 13

Networking DNS
1

Uncensorddns.org has been "an IPFire officially recommended " DNS server for a few years,

Since , June 13, I have been seeing these entries in my Suricata IPS logs

ET INFO Observed DNS over HTTPS Domain (anycast .uncensoreddns .org in TLS SNI)
Priority: 3 Type: Misc activity

I am also getting a timeout error when clicking Check DNS Servers

image

The corresponding suricata rule is showing the date created 6/13:

image
image961×815 141 KB

https://threatintel.proofpoint.com/sid/2053665

Anyone has background information, on this Suricata rule or why is it showing up in the IPS logs?

2

If it is blocking HTTPS DoH
Than it will also block DNS DoT.
That is the unfortunate side affect.
From my understanding.
I would disable that Suricata rule.
or not use that DNS provider.

2 Likes
3

Looks like June 13 was busy day for DoH rules, something to do with CnC’s ??
Maybe it’s time to notify the provider of “uncensored dns”


* 2053533 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (adg .khon .dev) (info.rules)
* 2053534 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (resolve .corpa .me) (info.rules)
* 2053535 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns1 .dnscrypt .ca) (info.rules)
* 2053536 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (doh .denypradana .com) (info.rules)
* 2053537 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (guard .thefather .cloud) (info.rules)
* 2053538 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .wael .name:4433) (info.rules)
* 2053539 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .56k .uy) (info.rules)
* 2053540 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .privex .io) (info.rules)
* 2053541 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .wargan .io) (info.rules)
* 2053542 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (nana-is .so-gorgeo .us .kg) (info.rules)
* 2053543 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .esnube .es) (info.rules)
* 2053544 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .ple91 .uk) (info.rules)
* 2053545 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .utangard .net) (info.rules)
* 2053546 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dnssilo .top) (info.rules)
* 2053547 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .nj0 .de) (info.rules)
* 2053548 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (doh-rs .whalebone .io) (info.rules)
* 2053549 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (albertocognetti .com) (info.rules)
* 2053550 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (doh .funil .de) (info.rules)
* 2053551 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (outdoor .v6 .army) (info.rules)
* 2053552 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .pccoach .nl) (info.rules)
* 2053553 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (nsec .arnor .org) (info.rules)
* 2053554 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (morbitzer .de) (info.rules)
* 2053555 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .dooks .uk) (info.rules)
* 2053556 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (doh .eddi .net) (info.rules)
* 2053557 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (doh .iucc .ac .il) (info.rules)
* 2053558 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (mikatos .de) (info.rules)
* 2053559 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .neowutran .ovh) (info.rules)
* 2053560 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (doh .978159 .xyz) (info.rules)
* 2053561 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .doserver .top) (info.rules)
* 2053562 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns-1 .wil .cloud) (info.rules)
* 2053563 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (doh .amonsul .net) (info.rules)
* 2053564 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .cert .ee) (info.rules)
* 2053565 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (princez .uk) (info.rules)
* 2053566 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .rjls .me) (info.rules)
* 2053567 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .csa-rz .de) (info.rules)
* 2053568 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns1 .hanahira .dev) (info.rules)
* 2053569 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (hk .ahua .ltd) (info.rules)
* 2053570 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .rafn .is) (info.rules)
* 2053571 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (africadns1 .liquidtelecom .net) (info.rules)
* 2053572 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (zdn .ro) (info.rules)
* 2053573 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .yumenashyi .com) (info.rules)
* 2053574 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .huas .me) (info.rules)
* 2053575 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .axto .me) (info.rules)
* 2053576 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (huanmengmeta .art) (info.rules)
* 2053577 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .jupitrdns .com) (info.rules)
* 2053578 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (doh .airwaynet .cz) (info.rules)
* 2053579 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (resov .wehao .net) (info.rules)
* 2053580 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .hyas .com) (info.rules)
* 2053581 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (blocker .thethorsens .org) (info.rules)
* 2053582 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dnsdoh .art:444) (info.rules)
* 2053583 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .ch6se .com) (info.rules)
* 2053584 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (adguard .tcpu .io) (info.rules)
* 2053585 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .renardyre .com) (info.rules)
* 2053586 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (doh .beauty) (info.rules)
* 2053587 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (doh .futa .gg/dns-queryhttpsdoh .futa .app) (info.rules)
* 2053588 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .everdns .tech) (info.rules)
* 2053589 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .cctld .kg) (info.rules)
* 2053590 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (agh .ero-sayhi .com) (info.rules)
* 2053591 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (doh .plaawan .uk) (info.rules)
* 2053592 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .sec511 .com) (info.rules)
* 2053593 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .npsolution .it) (info.rules)
* 2053594 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (adguard .leadseason .eu) (info.rules)
* 2053595 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (yeralin .net) (info.rules)
* 2053596 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (doh .webnmail .de) (info.rules)
* 2053597 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .decky .eu) (info.rules)
* 2053598 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (anycast .uncensoreddns .org) (info.rules)
* 2053599 - ET INFO DNS Over HTTPS Domain CnC Domain in DNS Lookup (dns .pacificmonster .com) (info.rules)
* 2053600 - ET INFO Observed DNS over HTTPS Domain (adg .khon .dev in TLS SNI) (info.rules)
* 2053601 - ET INFO Observed DNS over HTTPS Domain (resolve .corpa .me in TLS SNI) (info.rules)
* 2053602 - ET INFO Observed DNS over HTTPS Domain (dns1 .dnscrypt .ca in TLS SNI) (info.rules)
* 2053603 - ET INFO Observed DNS over HTTPS Domain (doh .denypradana .com in TLS SNI) (info.rules)
* 2053604 - ET INFO Observed DNS over HTTPS Domain (guard .thefather .cloud in TLS SNI) (info.rules)
* 2053605 - ET INFO Observed DNS over HTTPS Domain (dns .wael .name:4433 in TLS SNI) (info.rules)
* 2053606 - ET INFO Observed DNS over HTTPS Domain (dns .56k .uy in TLS SNI) (info.rules)
* 2053607 - ET INFO Observed DNS over HTTPS Domain (dns .privex .io in TLS SNI) (info.rules)
* 2053608 - ET INFO Observed DNS over HTTPS Domain (dns .wargan .io in TLS SNI) (info.rules)
* 2053609 - ET INFO Observed DNS over HTTPS Domain (nana-is .so-gorgeo .us .kg in TLS SNI) (info.rules)
* 2053610 - ET INFO Observed DNS over HTTPS Domain (dns .esnube .es in TLS SNI) (info.rules)
* 2053611 - ET INFO Observed DNS over HTTPS Domain (dns .ple91 .uk in TLS SNI) (info.rules)
* 2053612 - ET INFO Observed DNS over HTTPS Domain (dns .utangard .net in TLS SNI) (info.rules)
* 2053613 - ET INFO Observed DNS over HTTPS Domain (dnssilo .top in TLS SNI) (info.rules)
* 2053614 - ET INFO Observed DNS over HTTPS Domain (dns .nj0 .de in TLS SNI) (info.rules)
* 2053615 - ET INFO Observed DNS over HTTPS Domain (doh-rs .whalebone .io in TLS SNI) (info.rules)
* 2053616 - ET INFO Observed DNS over HTTPS Domain (albertocognetti .com in TLS SNI) (info.rules)
* 2053617 - ET INFO Observed DNS over HTTPS Domain (doh .funil .de in TLS SNI) (info.rules)
* 2053618 - ET INFO Observed DNS over HTTPS Domain (outdoor .v6 .army in TLS SNI) (info.rules)
* 2053619 - ET INFO Observed DNS over HTTPS Domain (dns .pccoach .nl in TLS SNI) (info.rules)
* 2053620 - ET INFO Observed DNS over HTTPS Domain (nsec .arnor .org in TLS SNI) (info.rules)
* 2053621 - ET INFO Observed DNS over HTTPS Domain (morbitzer .de in TLS SNI) (info.rules)
* 2053622 - ET INFO Observed DNS over HTTPS Domain (dns .dooks .uk in TLS SNI) (info.rules)
* 2053623 - ET INFO Observed DNS over HTTPS Domain (doh .eddi .net in TLS SNI) (info.rules)
* 2053624 - ET INFO Observed DNS over HTTPS Domain (doh .iucc .ac .il in TLS SNI) (info.rules)
* 2053625 - ET INFO Observed DNS over HTTPS Domain (mikatos .de in TLS SNI) (info.rules)
* 2053626 - ET INFO Observed DNS over HTTPS Domain (dns .neowutran .ovh in TLS SNI) (info.rules)
* 2053627 - ET INFO Observed DNS over HTTPS Domain (doh .978159 .xyz in TLS SNI) (info.rules)
* 2053628 - ET INFO Observed DNS over HTTPS Domain (dns .doserver .top in TLS SNI) (info.rules)
* 2053629 - ET INFO Observed DNS over HTTPS Domain (dns-1 .wil .cloud in TLS SNI) (info.rules)
* 2053630 - ET INFO Observed DNS over HTTPS Domain (doh .amonsul .net in TLS SNI) (info.rules)
* 2053631 - ET INFO Observed DNS over HTTPS Domain (dns .cert .ee in TLS SNI) (info.rules)
* 2053632 - ET INFO Observed DNS over HTTPS Domain (princez .uk in TLS SNI) (info.rules)
* 2053633 - ET INFO Observed DNS over HTTPS Domain (dns .rjls .me in TLS SNI) (info.rules)
* 2053634 - ET INFO Observed DNS over HTTPS Domain (dns .csa-rz .de in TLS SNI) (info.rules)
* 2053635 - ET INFO Observed DNS over HTTPS Domain (dns1 .hanahira .dev in TLS SNI) (info.rules)
* 2053636 - ET INFO Observed DNS over HTTPS Domain (hk .ahua .ltd in TLS SNI) (info.rules)
* 2053637 - ET INFO Observed DNS over HTTPS Domain (dns .rafn .is in TLS SNI) (info.rules)
* 2053638 - ET INFO Observed DNS over HTTPS Domain (africadns1 .liquidtelecom .net in TLS SNI) (info.rules)
* 2053639 - ET INFO Observed DNS over HTTPS Domain (zdn .ro in TLS SNI) (info.rules)
* 2053640 - ET INFO Observed DNS over HTTPS Domain (dns .yumenashyi .com in TLS SNI) (info.rules)
* 2053641 - ET INFO Observed DNS over HTTPS Domain (dns .huas .me in TLS SNI) (info.rules)
* 2053642 - ET INFO Observed DNS over HTTPS Domain (dns .axto .me in TLS SNI) (info.rules)
* 2053643 - ET INFO Observed DNS over HTTPS Domain (huanmengmeta .art in TLS SNI) (info.rules)
* 2053644 - ET INFO Observed DNS over HTTPS Domain (dns .jupitrdns .com in TLS SNI) (info.rules)
* 2053645 - ET INFO Observed DNS over HTTPS Domain (doh .airwaynet .cz in TLS SNI) (info.rules)
* 2053646 - ET INFO Observed DNS over HTTPS Domain (resov .wehao .net in TLS SNI) (info.rules)
* 2053647 - ET INFO Observed DNS over HTTPS Domain (dns .hyas .com in TLS SNI) (info.rules)
* 2053648 - ET INFO Observed DNS over HTTPS Domain (blocker .thethorsens .org in TLS SNI) (info.rules)
* 2053649 - ET INFO Observed DNS over HTTPS Domain (dnsdoh .art:444 in TLS SNI) (info.rules)
* 2053650 - ET INFO Observed DNS over HTTPS Domain (dns .ch6se .com in TLS SNI) (info.rules)
* 2053651 - ET INFO Observed DNS over HTTPS Domain (adguard .tcpu .io in TLS SNI) (info.rules)
* 2053652 - ET INFO Observed DNS over HTTPS Domain (dns .renardyre .com in TLS SNI) (info.rules)
* 2053653 - ET INFO Observed DNS over HTTPS Domain (doh .beauty in TLS SNI) (info.rules)
* 2053654 - ET INFO Observed DNS over HTTPS Domain (doh .futa .gg/dns-queryhttpsdoh .futa .app in TLS SNI) (info.rules)
* 2053655 - ET INFO Observed DNS over HTTPS Domain (dns .everdns .tech in TLS SNI) (info.rules)
* 2053656 - ET INFO Observed DNS over HTTPS Domain (dns .cctld .kg in TLS SNI) (info.rules)
* 2053657 - ET INFO Observed DNS over HTTPS Domain (agh .ero-sayhi .com in TLS SNI) (info.rules)
* 2053658 - ET INFO Observed DNS over HTTPS Domain (doh .plaawan .uk in TLS SNI) (info.rules)
* 2053659 - ET INFO Observed DNS over HTTPS Domain (dns .sec511 .com in TLS SNI) (info.rules)
* 2053660 - ET INFO Observed DNS over HTTPS Domain (dns .npsolution .it in TLS SNI) (info.rules)
* 2053661 - ET INFO Observed DNS over HTTPS Domain (adguard .leadseason .eu in TLS SNI) (info.rules)
* 2053662 - ET INFO Observed DNS over HTTPS Domain (yeralin .net in TLS SNI) (info.rules)
* 2053663 - ET INFO Observed DNS over HTTPS Domain (doh .webnmail .de in TLS SNI) (info.rules)
* 2053664 - ET INFO Observed DNS over HTTPS Domain (dns .decky .eu in TLS SNI) (info.rules)
* 2053665 - ET INFO Observed DNS over HTTPS Domain (anycast .uncensoreddns .org in TLS SNI) (info.rules)
* 2053666 - ET INFO Observed DNS over HTTPS Domain (dns .pacificmonster .com in TLS SNI) (info.rules)
4

This is what he lists on the blog

5

Now I know what CnC stands for.
Command and Control.

1 Like
6

I don’t have those suricata rules enabled but I’ve been getting certificate error for anycast.uncensoreddns for many days now.

image
image999×68 6.62 KB

Anyway those info rules aren’t always directly harmful traffic. Even google’s dns over https is listed there and some other legimate services are too.

image

7

That looks like they have a problem on their TLS certificate. The unbound logs might give a bit more detail of what the specific problem with their TLS certificate is.

Uncensordns need to fix their certificate. It might be good if you contact them and let them know about the error you are experiencing just in case they don’t know that there is a problem.

1 Like
8

Unbound log don’t show any errors even when that service is only one enabled.

I’ve been meaning to send message to admin but haven’t got to it yet.

9

Newer
@Porkyle did you get any response from the admin?

The suricata rule is still blocking anycast IP for Uncensorred DNS

Name:|ET INFO Observed DNS over HTTPS Domain (anycast .uncensoreddns .org in TLS SNI)|
| — | — | — | — | — |
| — | — | — | — |
|Priority:|3|Type:|Misc activity||

10

I did send message to uncensoreddns admin and unbound certificate error has been fixed for some time now and DNS server check gives OK.

If you use emerging-info.rules and Uncensoreddns service you have to manually disable rules related to that server.

2 Likes
11

I was interested to know what was his explanation about the ET rule, something must have triggered them to create a special rule just for his server.

12

I didn’t ask and most likely he has no idea why. Best place to ask would be at Emergingthreats. Maybe they are adding every TLS DNS service eventually.