Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

SEP blocking traffic to DNS server.

  • 1.  SEP blocking traffic to DNS server.

    Posted Sep 01, 2015 01:27 PM

    When looking at the network threat protection logs I noticed that  several machine on our domain (local host) is blocking outbound traffic to our DNS server (Remote Host) causing it to hit 8.8.8.8 which is google-public-dns-a.google.com. why would SEP be blocking this traffic. we are 12.1 RU6

     

    sep dns.PNG



  • 2.  RE: SEP blocking traffic to DNS server.

    Posted Sep 01, 2015 04:19 PM

    Bump



  • 3.  RE: SEP blocking traffic to DNS server.

    Posted Sep 01, 2015 04:32 PM

    Well it depends on the rule name but if I recall it falls under 'Block all other IP traffic and log'. If you feel this should be unblocked you will need to create a rule to allow it.



  • 4.  RE: SEP blocking traffic to DNS server.

    Posted Sep 01, 2015 04:36 PM

    Yes it is under "Block all other IP traffic and log" What exactly does "Block all other IP traffic and log" do and why isnt this happenning for all of my machines ?



  • 5.  RE: SEP blocking traffic to DNS server.

    Posted Sep 01, 2015 04:39 PM

    If any traffic doesn't match the previous rules, it will get caught by this rule and action taken.

    Not sure, do you have different policies applied? Do you have some sort of other filtering in palce? Are these machines configured with a static DNS of 8.8.8.8. I assume you don't want them using google DNS?

    ICMP type 3 code 3 means destination unreachable so they can't talk to 8.8.8.8

    Ideally they should be configured to use your internal DNS server not google.



  • 6.  RE: SEP blocking traffic to DNS server.

    Posted Sep 01, 2015 04:46 PM

    No we saw traffic going to google DNS 8.8.8.8 which let us know something is wrong. which made me check the network threat protection logs only to find that the rule to Block traffic to our DNS was showing which leaves me confused as to why the machine give the error "ICMP type 3 code 3 means destination unreachable" when our internal DNS is reachable. and no we do not have static DNS set up.



  • 7.  RE: SEP blocking traffic to DNS server.

    Posted Sep 01, 2015 04:47 PM

    Start up a packet capture and watch the traffic. This should give you more info as to what's going on. Perhaps you have an infected machine.



  • 8.  RE: SEP blocking traffic to DNS server.

    Posted Sep 01, 2015 04:55 PM

    Now Im thinking that could be the case because the machine was infected and I did have to clean it. but even after cleaning I saw the blocking of our dns in the logs



  • 9.  RE: SEP blocking traffic to DNS server.

    Posted Sep 02, 2015 09:15 AM

    I would definitely verify this first.



  • 10.  RE: SEP blocking traffic to DNS server.

    Broadcom Employee
    Posted Sep 02, 2015 10:52 AM

    From the affected machine attach NTP --> Traffic logs, we would like to dig into it.

    ICMP type 3 traffic is by default blocked in the firewall policy & can be enable as well.



  • 11.  RE: SEP blocking traffic to DNS server.

    Posted Sep 02, 2015 11:14 AM
      |   view attached

    here is the log for the last 24 hours

    Attachment(s)

    xlsx
    NTP_Log.xlsx   13 KB 1 version


  • 12.  RE: SEP blocking traffic to DNS server.

    Broadcom Employee
    Posted Sep 02, 2015 11:50 AM

    Thanks for the logs, before we do any further analysis could you verify system is not affected by a known issue.

    DNS traffic may be blocked at client when Endpoint Protection is installed

    http://www.symantec.com/docs/TECH231751



  • 13.  RE: SEP blocking traffic to DNS server.

    Posted Sep 02, 2015 02:10 PM

    I have read the article and we already are running 12.1.RU6 so this issue should be fixed. and we do have smart dns enabled.