Cisco Firepower - BLACKLIST DNS reverse lookup

ohareka70 · ‎08-17-2017

Hi,

I have a Cisco Firepower module installed in my Cisco 5585 firewall. I have started getting these messages over the last week but dont know where they originate from

Subject: **Auto Generated Email** -- [1:31600:1] "BLACKLIST DNS reverse lookup response for known malware domain spheral.ru - Win.Trojan.Glupteba" [Impact: Vulnerable]

[1:31600:1] "BLACKLIST DNS reverse lookup response for known malware domain spheral.ru - Win.Trojan.Glupteba" [Impact: Vulnerable] From "firepowerw.MYNETWORK.net" at Wed Aug 16 14:32:13 2017 UTC [Classification: A Network Trojan was Detected] [Priority: 1] {udp} 1.2.3.4:53 (united kingdom)->192.1.2.3:21941 (unknown)

This is a dns address external to my network from my internet provider - 1.2.3.4:53

This is on my dmz - 192.1.2.3:21941 (unknown) - its an ISA server

any ideas where to start

thanks, Kevin

Alexander Balakin · ‎09-13-2017

I have same problem.
someone inside your network query your dns for this domain.
your dns do not know about this domain and queries outside dns.
Firepower catch dns query from your dns server to outside dns servers.
So i think you should enable logging on your dns server and search there who from your internal network make this query.