ET DNS Query for .su TLD (Soviet Union) Often Malware Related on wan, nothing on lan


Just re-enabled suricata on the WAN side and alerts started popping up about su tld lookups. But when i looked at the other interfaces logs none of them had this warning. It still happens even after adding su tld to blacklist in pfblocker-ng and set pfsense to use the local resolver only. Looked through my stuff but did not see any funky behavior… Could this be triggered by suricata looking up hostnames in the background?

Thanks in advance!