Forum Discussion
Traffic to external IP’s over port 3389 (RDP) after installing ATP sensor
Microsoftpiovisqui So the DC initiated a DNS query to an external address on port UDP 53 ?
Do you happen to know what was the query (if you managed to capture the data ) ?
Do you know for sure that the request came from the sensor process?
In general, this can happen only if the DC previously got some sort of connection from this address.
EliOfek Eli, we are seeing the same situation here. Our DCs are performing Internet DNS lookups for our clients and the DCs attempt to perform NNR on all the root servers they talk to. It's filling up our firewall logs with inappropriate traffic from these DCs. These DCs only perform DNS services for internal clients, so there is no traffic initiated from public IPs. If there is a way to configure it so it will ignore this traffic that the DC initiates itself that would be great.
EliOfek Ok I opened a support case (2406270040007767) and after about a month of back and forth I have been told by the team at CONVERGYS CORPORATION that this behavior is normal and expected, so somebody doesn't know how the product works.
- EliOfek
RossWalker No, in general this shouldn't happen.
The Sensor is programmed to react only. meaning it will only issue NNR to a device that opened any connection to the DC.
I suggest to do a capture on one of those machines trying to correlate such outgoing requests to internet name servers, and check in the seconds before that what kind of traffic the target name server issued to the DC/sensor. - I'll open a ticket, but these days support isn't much use. My tickets seem to go into the pay-me-no-mind folder. Excluding won't work because there are an infinite number of possible name servers on the Internet. We would have to exclude all IP blocks except the RFC1918 blocks. I'm surprised more people haven't seen this? Are the Internet name servers being slammed by NTLM/NetBIOS/RDP traffic unnecessarily?
- EliOfek
RossWalker Open a support case. If you want to block specific subnets from NNR from your workspace sensors, it's possible via special config in the backend.