All Barracuda Web Filters. All firmware versions.
Sometimes internal DNS servers appear in the Web Filter's Infection Activity log.
This can be concerning. These entries usually show a port number of 53.
Most of the time, several scans with different anti-virus and
anti-malware products on the Domain Controllers will find no infection.
This traffic could be registered in the Infection Activity log because the internal DNS server is trying to do a DNS look-up on a known poisoned DNS server. This traffic is being blocked by the Web Filter outbound feature and this action will, therefore, show up in the Infection Activity log.
One possible solution to stop these look-ups would be to flush the DNS cache on the DC. This should then allow the DNS look-ups to perform queries to a server that is not infected.
Link to this page: