2 Respuestas
- Más nuevo
- Más votos
- Más comentarios
1
Hi, see https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#defenseevasion-ec2-unusualdnsresolver for details
An Amazon EC2 instance is communicating with an unusual public DNS resolver.
Default severity: Medium
Data source: VPC flow logs
This finding informs you that the listed Amazon EC2 instance in your AWS environment
is behaving in a way that deviates from the baseline behavior. This EC2 instance
has no recent history of communicating with this public DNS resolver. The Unusual
field in the finding details panel in the GuardDuty console can provide information
about the queried DNS resolver.
Remediation recommendations:
If this activity is unexpected, your instance may be compromised.
For more information, see Remediating a compromised EC2 instance.
So, basically, it says that your instance has started to talk with a new DNS server (it never queried it before). This unusual resolver will be listed on the Gard Duty panel. Check if it's a safe DNS resolver or not. If not, you will have to prevent your instance from talking to it.
0
8.8.8.8 is Google DNS Servers. Nothing to worry about much on the security end unless you have a DNS Server that your instances should be using
respondido hace 9 meses
Contenido relevante
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace un año
Hello, Thanks for the information. But, I need to find why my instance communicating with public Dns resolver (8.8.8.8). And unable to predict whether it is safe or unsafe. Note: we have not changed instance's network Dns settings. Also help us how to prevent it.( we are getting this alert for few of our ec2 instances)
We do have site to site vpn configured for this VPV. any of vpn's dns setting makking this issue?