Good morning Ladies and Gents,
So being the noob that I am with networking, I’ve gotten good at searching for information on problems I’m having. However I cant seem to figure this one out.
Long story short, I have Suricata running on my custom made PFSense box, and keep getting “ET INFO Observed DNS Query to .biz TLD” on my WAN interface only.
Some Destination IP’s are .biz, some are to the root DNS Servers, some IP’s are not resolvable.
Is this something I should be worried about? Any insight would be greatly appreciated!
Thank you!
Most likely a false positive, but this highlights the problem with any of these tools, too much data. This is not just a problem with EVERY tool that I am aware that monitors traffic, but also in the industry as a whole. I was just reading this today:
“It is very common for analysts to increase the thresholds for creating security events to reduce volume.”
Well then! I’ll have to do some reading on what criteria different rules follow for alerts. For now I’ll treat it as such!
Thank you for the Quick reply as well!
I found that most .biz DNS calls from my network are from phone apps. Many phone app developers use the same base code across the board and much of that code has user analytics built in reaching out to various countries to send the logged data from that app. I block all that, or do my best to. You can resolve the IPs with a open source search as pfSense is not all that reliable in that area.
Oh yea, I use pfblocker to block .biz TLD. You can get more details on who on your network made the call and the full path that was requested. All that is available through pfblocker.
I’ll have to do the same with pfblocker, thanks for the info. What I found weird is that no other interface was showing the alert, which made me believe it was something on my pfsense box. However, being that I built the box myself with used gear, I’m aware that some problems are my own making 
It could be that your pfsense is doing the DNS lookup (EXTERNAL NET) on behalf of your client which comes from your WAN. Your client asking pfsense for the lookup would be considered HOME NET)
Also, Suricata has rules depending on interface and direction that would trigger. I’d have to double check the rule for this one to verify if that is the case here.