Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 6 subscribers
  • Views 2085 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Auto Update accesses many domains

Willum

Why does the Sophos Auto Update access so many domains outside of sophos.com?

I recently installed Little Snitch, which is a firewall that allows the blocking of individual outgoing connections.  I was surprised to find that Sophos Auto Update was accessing domains other than sophos.com....

:1011490


This thread was automatically locked due to age.
Parents
  • 0

    Hello Willum,

    can't access the picture on snag.gy. Anyway - the relation of DNS names and their related entries (like ALIASes), IPs these names  resolve to and the reverse names of the IPs is somewhat complex. Different names like www1.acme.com, dl-5.swfurnace.net and go2.rilla.org might each resolve to two addresses ("servers" but not necessarily a single machine but some nifty networking device) out of a pool of, say 4. Thus for example acme.com and rilla.org might have one shared address. Reverse DNS usually does not reveal this fact, in case of akamai the reverse lookup for 12.345.678.90 would.return something like a12-345-678-90.deploy.akamaitechnologies.com - not quite useful. To present the user a meaningful name it's not sufficient to take the IP from a connection attempt and do a reverse lookup. Haven't thought it through but I guess the only way to get this information is to intercept the forward queries, note the returned address(es) and use them to do the mapping. Obviously you have a problem if a subsequent query for a different name returns one of the "known" addresses. I'd exonerate LS and all the others - there's no way to present correct (and meaningful) information (would 12.345.678.90 has been found to belong to at least www1.acme.com and go2.rilla.org help?).            . 

    if [Sophos] gets hijacked, I guess I'm done for anyway

    Think you are correct :smileyhappy:

    Christian

    :1011526
Reply
  • 0

    Hello Willum,

    can't access the picture on snag.gy. Anyway - the relation of DNS names and their related entries (like ALIASes), IPs these names  resolve to and the reverse names of the IPs is somewhat complex. Different names like www1.acme.com, dl-5.swfurnace.net and go2.rilla.org might each resolve to two addresses ("servers" but not necessarily a single machine but some nifty networking device) out of a pool of, say 4. Thus for example acme.com and rilla.org might have one shared address. Reverse DNS usually does not reveal this fact, in case of akamai the reverse lookup for 12.345.678.90 would.return something like a12-345-678-90.deploy.akamaitechnologies.com - not quite useful. To present the user a meaningful name it's not sufficient to take the IP from a connection attempt and do a reverse lookup. Haven't thought it through but I guess the only way to get this information is to intercept the forward queries, note the returned address(es) and use them to do the mapping. Obviously you have a problem if a subsequent query for a different name returns one of the "known" addresses. I'd exonerate LS and all the others - there's no way to present correct (and meaningful) information (would 12.345.678.90 has been found to belong to at least www1.acme.com and go2.rilla.org help?).            . 

    if [Sophos] gets hijacked, I guess I'm done for anyway

    Think you are correct :smileyhappy:

    Christian

    :1011526
Children
No Data