BotNet Filter and OpenDNS

Unanswered Question
Mar 10th, 2010

We are running a trial of the ASA 8.2 BotNet Filter on our production ASA.  In the alerts we keep getting notices of a Very High alert for  When we look it up we end up seeing that it resolves as  Our hunch is that this is traffic that would have been malicious, but that since we use OpenDNS to do some filtering it's returning its own address.

Anyone else ran into this?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Panos Kampanakis Wed, 03/10/2010 - 13:46


If you are using opendns and you have your bots dns-ing out to it for some bad sites that opendns doesn't know it will send back its own ip (and then show you its "block/don't know" page). When the ASA sees that ip it flags it for the url that the dns went out for and thus open dns will be flagged as malicious. There is not much hope if you use open dns because whenever a bot accesses a site that open dns doesn't know it will be flagged and blocked which will then block your open dns.

I hope it helps.



This Discussion