Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

BotNet Filter and OpenDNS

We are running a trial of the ASA 8.2 BotNet Filter on our production ASA.  In the alerts we keep getting notices of a Very High alert for 208.69.36.132.  When we look it up we end up seeing that it resolves as hit-nxdomain.opendns.com.  Our hunch is that this is traffic that would have been malicious, but that since we use OpenDNS to do some filtering it's returning its own address.

Anyone else ran into this?

Thanks,

Ben

Everyone's tags (3)
1 REPLY
Cisco Employee

Re: BotNet Filter and OpenDNS

Yes.

If you are using opendns and you have your bots dns-ing out to it for some bad sites that opendns doesn't know it will send back its own ip (and then show you its "block/don't know" page). When the ASA sees that ip it flags it for the url that the dns went out for and thus open dns will be flagged as malicious. There is not much hope if you use open dns because whenever a bot accesses a site that open dns doesn't know it will be flagged and blocked which will then block your open dns.

I hope it helps.

PK

879
Views
0
Helpful
1
Replies
CreatePlease to create content