Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX - Suspicious .win dns query

SPRINTERSHIP
Here to help
a month ago
a month ago

MX - Suspicious .win dns query

Hello,

Not sure if this is something we should worry about:

Suspicious .win dns query

I have looked at local  DNS(logs enabled) and I don't even see .win queries in the logs. 

 

Labels:
0 Kudos
Subscribe
9 Replies 9
Malwina
Meraki Employee
Meraki Employee
a month ago
a month ago

Hi!

This Security rule alerts on DNS queries to .win domains - those are commonly used to try and spoof legitimate websites and trick users into thinking they are the original sites.

From experience it would likely not be something to worry about but it would highly depend on what is the exact source of this query, if it's internal or external and whether you are able to tell what device is behind the source address.  

 

Subscribe
In response to Malwina
SPRINTERSHIP
Here to help
a month ago
a month ago

Thanks, I dont see any ".win" request in my local DNS logs so it seems like its external.  Since we use MX is there any way to check these queries in the log and see what device requests it? 

0 Kudos
Subscribe
In response to SPRINTERSHIP
txhomer
Here to help
a month ago
a month ago

Go into Organization - Security Center.  Depending on when and how frequent it happen the event may show up under 'Most Prevalent Threats' or 'Threats Across Networks' you can click on it and filter for just that event.  Alternatively you filter for 'snort_rule: 1-44077'.  Once that is filtered you can click on the 'MX Events' tab and that will show you source, destination, network and you can also inspect.download the pcap if you click on event name under the 'Details' column.

0 Kudos
Subscribe
SPRINTERSHIP
Here to help
a month ago
a month ago

thanks, I see them now:

my DNS1 or DNS2 to ISP DNS (set up on local DNS servers 1&2) and I see them a lot. I have installed Sysmon on both DC/DNS1&2 but I don't see any .win query.

 

0 Kudos
Subscribe
In response to SPRINTERSHIP
SPRINTERSHIP
Here to help
a month ago
a month ago

I have looked through Sysmon logs -22- DNS and don't see anything related to .win on both servers. Just see a bunch of Windows update links to Microsoft so I am not sure if this is false or this real. 

0 Kudos
Subscribe
In response to SPRINTERSHIP
Malwina
Meraki Employee
Meraki Employee
a month ago
a month ago

Seeing ".win" would be likely related to Windows updates, ".win" is often associated with Windows backup files.

Subscribe
In response to Malwina
SPRINTERSHIP
Here to help
a month ago
a month ago

Thank you Malwina,

That is exactly what I see in my local DNSs servers. A lot sites related to microsoft.com so I believe these are a false alarm. Can I whitelist them? I would prefer not to disable them, but whitelist somehow. 

 

Subscribe
In response to SPRINTERSHIP
Malwina
Meraki Employee
Meraki Employee
4 weeks ago
4 weeks ago

There is indeed a possibility to Allowlist these in the Dashboard.
Did you have a chance to look into our documentation on this?
If not, give it a go, I believe it could be helpful 🙂
https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Threat_Protection#Dealin...


0 Kudos
Subscribe
In response to Malwina
SPRINTERSHIP
Here to help
3 weeks ago
3 weeks ago

We run 18.107.2 firmware so I believe we should be runing snort 3. 

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.