0

We have an Active Directory EC2 server on AWS US East region that has DNS enabled to resolve only internal hostnames. It is not reachable from any hosts on the public internet. Recently we enabled an AWS service called Guard Duty for threat detection and it flagged a finding which indicated our DNS server communicated to a DNS server in Australia (nslookup/whois/nmap all helped to quickly determine the server in AU is indeed a DNS server)

Does anyone know why an internal DNS server would communicate to an external DNS server? Is this normal or does it indicate a problem that might uncover something very bad.

Appreciate any inputs. Thanks!

Lego
  • 103
  • 2
  • 1
    *"...has DNS enabled to resolve only internal hostnames"* - is this only your intention that it should be used for internal hostnames only or is that in actual restriction in the server that it is only able to resolve internal names. What happens if someone tries to resolve a name using this server where the domain is not available locally? – Steffen Ullrich Feb 10 '20 at 18:57
  • The intention is for other hosts in the environment to resolve their names using this internal DNS server. Of course, we also expect these DNS clients to resolve public hostnames through our DNS server to download a package from the internet etc. – Lego Feb 10 '20 at 19:03
  • *"... we also expect these DNS clients to resolve public hostnames through our DNS server ..."* - and how do you expect this DNS server to resolve external names? Do you have a fixed DNS forwarder setup or do you expect your DNS to recursively resolve the domains itself, i.e. starting with the root name servers? Could it be that this is actually what you see? And how is port 53 unusual for DNS, this is actually the port reserved for DNS? – Steffen Ullrich Feb 10 '20 at 19:11
  • Thanks for these incisive questions. We do not have a forwarder setup. It does seem it recursively resolves the domain names (for public DNS names). The threat application in this case has only flagged an alert because our internal DNS server (in US) did contact a DNS server in Australia for reasons unknown. There are no applications running on this server except Microsoft AD/DNS. This is quite unusual why a lookup would go to a server across the other side of the world. A simple whois on the server gives ns2.apnic.net. – Lego Feb 10 '20 at 20:05
  • *"This is quite unusual why a lookup would go to a server across the other side of the world."* - it depends. To recursively resolve an external domain it needs to contact the DNS servers responsible for this domain starting with the root servers. And such DNS servers can be all over the world - it depends on the domain to resolve. If you don't want to have such strange traffic use a specific DNS forwarder instead of doing your own recursive resolving. – Steffen Ullrich Feb 10 '20 at 20:12
  • Thanks. Appreciate the input. – Lego Feb 10 '20 at 20:55

1 Answers1

3

Based on the setup described in the question and comments this kind of traffic is likely innocent. You seem to run a DNS server which recursively resolves the domains. In order to resolve a domain it would need to query multiple DNS servers, starting with the root servers. The DNS servers which are queried might be all around the world, depending on the domain which need to be resolved. And it might for example be a simple typo in the domain name which makes the DNS server visit strange locations which are usually not visited.

If you don't want to have this kind of traffic you might configure a fixed forwarding DNS which does all the resolving. Any DNS traffic which is not send to this forwarder can be considered suspicious then.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424