Only getting Router IP back in logs instead of source IP
Twizz728
Newbie ✭
Hello all,
I have a TZ400 and I've started seeing a lot of DNS Resolution fails and domain blocks on my SonicWALL and they're coming from my Guest WiFi interface that I have setup. The problem is, when I check back through my logs I see the source IP address as the Guest WiFi's router. It never shows the source IP, only the address of the router. Is there a way for me to see which device is for sure making the request?
Thanks!
Category: Entry Level Firewalls
Tagged:
0
Best Answer
-
Twizz728 Newbie ✭
Just as an update to this. I turned off the FQDN Dynamic list and my malicious hit count went down.
0
Answers
@Twizz728 if your Guest Router is doing NAT you're out of luck, maybe you can leave DNS unnatted?
If NAT is not involved you could publish the TZ 400 (DNS Proxy) or Google DNS as your DNS Resolver to the Guests instead of your Guest Router IP to see what's going on.
--Michael@BWC
@BWC let me ask you this. Does there even need to be a router on this interface? Could I simply put a switch there and let the SonicWALL handle DHCP and everything else? I feel like the only reason I added the router in between the SonicWALL and the switch was because it wouldn't give IP assignment unless the router was plugged up.
Thanks!
@Twizz728 sure thing, use a Network Zone of your liking (maybe Guests), assign a Network Interface to that zone with your IP subnet and create a DHCP Pool for that subnet. Attach the Switch on that port and you will be good to go.
--Michael@BWC
Thank you @BWC
I will update my SonicWALL and remove the router. I want to explain the situation I'm having because you might have some insight into this.
My SonicWALL is setup to point to 2 specific DNS Servers that monitor and log all the DNS requests. I then receive a report from my vendor every couple days that details if anything malicious DNS request were made. Normally I have 50 - 500 requests in a weeks time but last week this spiked to 1.5 Million malicious requests. I can go into my SonicWALL and I luckily had some of these sites listed in my CFS list so I looked to see which endpoint was doing the requests and it came back to the Router on my guest network. I can't determine the correct endpoint until I get the NAT situation fixed, but I have a question in all of this. A spike of 1.5 Million requests seems like overkill and according to my vendor in their own words "The cause could be that my SonicWALL has the capability to perform dynamic deny listing based on FQDN" They recommend that the DNS resolvers on my SonicWALL be directed to another DNS provider, such as my ISP or Google (8.8.8.8), and not be sent to the reporting service. They also wanted me to ensure that if my perimeter devices are using an internal DNS server as a resolver that points to this reporting service that I update the DNS as well.
Currently I have my DNS setting on my SonicWALL pointing to their DNS servers. I have content filtering turned on and have a CFS block list and I also setup a FQDN object to block that points to a text file I have on an FTP server. So I point my SonicWALL to their DNS Server, I use the CFS, and also have the FQDN Dynamic list turned on. Is there a chance that these malicious requests are bogus and the cause of the FQDN list being enabled? I did receive a notification from my Firewall last week that someone had installed a malicious program on their laptop on my guest network. It was at that time that I enabled the FQDN Service on the SonicWALL, so I'm not for sure if this person has a program on their device that is constantly calling out to malicious sites, or if this is because of the service I turned on. My thoughts were to turn off the FQDN service to see if the reporting goes down next week.