1 Answer
- Newest
- Most votes
- Most comments
0
Hi,
You are interacting on 1.1.1.1 with CloudFlare resolver: see https://www.cloudflare.com/en-gb/learning/dns/what-is-1.1.1.1/
see https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#defenseevasion-ec2-unusualdnsresolver for details
An Amazon EC2 instance is communicating with an unusual public DNS resolver.
Default severity: Medium
Data source: VPC flow logs
This finding informs you that the listed Amazon EC2 instance in your AWS environment
is behaving in a way that deviates from the baseline behavior. This EC2 instance
has no recent history of communicating with this public DNS resolver. The Unusual
field in the finding details panel in the GuardDuty console can provide information
about the queried DNS resolver.
Remediation recommendations:
If this activity is unexpected, your instance may be compromised.
For more information, see Remediating a compromised EC2 instance.
So, basically, it says that your instance has started to talk with a new DNS server (it never queried it before). This unusual resolver will be listed on the Gard Duty panel.
The first link says it's CloudFlare: so, you probably don't want to prevent your instance from talking to it.
Best,
Didier
Relevant content
- Accepted Answerasked a month ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 days ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Thank you Mr.Durand.
Would would the EC2 instance starts communicating suddenly with Cloudflare? Could you pls throw some light ? I am new to this.
You would need to review your EC2 setup and what’s installed.