Amazon GuardDuty. DefenseEvasion:EC2/UnusualDNSResolver

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Service on AWS (ROSA)
    • v4.x

Issue

  • Alert received from AWS
AWS case ID: XXXXX for Application: XXXXX - XXXXX AccountId: XXXXXX 
Subject: [Amazon GuardDuty Finding] DefenseEvasion:EC2/UnusualDNSResolver - 
Finding Severity: Medium 

Category: security-issue Service: service-ams-operations-report-incident 
TimeCreated: XXXX-XX-XXXX

Details: Hello,

AWS Managed Services has detected an Amazon GuardDuty finding within your managed account:

This alert is about a potential security issue discovered by Amazon GuardDuty. DefenseEvasion:EC2/UnusualDNSResolver - EC2 instance i-XXXXX is communicating with an Unusual DNS Resolver 170.247.170.2

The alert summary can be found below:

Description: EC2 instance i-XXXXX is communicating with an Unusual DNS Resolver 170.247.170.2.
Account ID: XXXXXXXX
Region: af-south-1
Created At: XXXX-XX-XXXX
Severity: 5
Finding Severity: Medium

Resolution

Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

  • The finding type DefenseEvasion:EC2/UnusualDNSResolver is generated by GuardDuty for an EC2 instance in AWS environment, if the instance is behaving in a way that deviates from the baseline behavior [1]. GuardDuty uses a baseline as a reference for this finding type, wherein it profiles EC2 instance's behavior. Any DNS traffic that falls outside of this baseline, will be flagged as suspicious thereby generating this finding.

  • The IPv4 address for b.root-servers.net was changed on November 27, 2023 [2]. Given that GuardDuty had not established a history of communicating with this IP address of DNS resolver, it generates findings for the same. The reported IP is not malicious and it is part of Root Hints file

  • This finding is a false positive. Please note that alerts may still received for this finding as instances, and subsequently GuardDuty, adapt to the new DNS resolver IP address. If it suits requirements, please consider to suppress these findings based on the IP address and Finding Type filter criteria, so that these findings would be automatically archived [3].

References:
[1] GuardDuty EC2 finding types - DefenseEvasion:EC2/UnusualDNSResolver
[2] New addresses for b.root-servers.net
[3] Suppression rules

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments