UncleStu Posted September 12, 2024 Posted September 12, 2024 It would appear that two of my dockers are continually trying to query a domain that has been categorized as a C&C site. I would like to stop these queries, or sink hole them, but I'm not sure of the best way. The docker container is querying my internal DNS server, which is then querying my forwarding DNS servers and being flagged/prevented at my firewall. The domains are unifi.domain.tld and ombiombi.domain.tld. I don't want to put an exception in my firewall, I just want to blackhole or stop the requests. Or understand why they are there in the first place. Can anyone offer advise or suggestions? Also what is odd, I am not running Ombi, but Overseer. I'm assuming that the ombiombi query is from Overseer. I'm also assuming the unifi query is from my Unifi container. Quote
UncleStu Posted September 13, 2024 Author Posted September 13, 2024 I know this is not the best solution, but I ended up creating a new "domain.tld" zone on my DNS server with no records in the zone. It has stopped the firewall from complaining, but I know it hasn't stopped the requests. Still looking for any suggestions or recommendations on why the container is reaching out to this domain. Quote
caplam Posted September 14, 2024 Posted September 14, 2024 those are not valid domains name. Are you sure those connections attempts are from docker containers? It looks like a default setting in conf file of an app. Here i suppose unifi and ombi. what are the results of nslookup unifi.domain.tld or nslookup ombiombi.domain.tld I would start to look at host files. Quote
JonathanM Posted September 14, 2024 Posted September 14, 2024 On 9/12/2024 at 2:16 PM, UncleStu said: a domain that has been categorized as a C&C site Where did you see that? Quote
UncleStu Posted September 14, 2024 Author Posted September 14, 2024 2 hours ago, caplam said: It looks like a default setting in conf file of an app. Where could I look for these? I looked through the Unifi and Overseer webUI's and didn't see anything. I looked through the settings for Docker as well, thinking that maybe it was something nested into unraid itself. Nothing. You're correct that the domain doesn't exist. I didn't look to see if it did or not. Could possibly be a false positive from my firewall. Still interested in stopping/changing the queries if I could find out where they are coming from. 2 hours ago, JonathanM said: Where did you see that? The log details screenshot from the first post shows this. But the data could be wrong if it is a FP alert. Quote
caplam Posted September 15, 2024 Posted September 15, 2024 see what device requests the domain ip. I'm no expert but perhaps you have a wrong entry in a host file (on your server or in a container) Quote
UncleStu Posted September 15, 2024 Author Posted September 15, 2024 I can't tell who is making the request to my internal DNS server. I can only see the request from my DNS server to an external DNS Forwarder. Without a packet capture in front of my DNS server, I don't think I'll know. As for an improper hosts file. I don't have any hosts file configs for my containers, or none that I have set myself. And my unraid doesn't have any hosts with this domain. My only thoughts are that it is within the container image itself. Is there a command I can run within the container to see the hosts? Or domain name being used? Quote
Solution UncleStu Posted September 26, 2024 Author Solution Posted September 26, 2024 I FOUND IT!! My Varken.ini file had these FQDN's defined. I set the sections to false, and commented out the lines too. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.