Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 28 subscribers
  • Views 4434 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Track down DNS request sources

Peter Mueller

Hi,

 

I used to use Sophos XG as the DNS server in my network. Recently I setup pihole as my DNS Server for the entire network. In order to have all client use this as the DNS Server I changed the pushed DNS Server in all DHCP server in Sophos XG. For client with static IPs I did this manually.

By the time the DHCP addresses are released and renewed most of the client use this DNS as it should be. However I still have thousands of DNS queries of 192.168.100.1 which is the Sophos XG Gateway and DNS server of one of my VLANs.

Is there any way to track down which client is still using the Sophos XG as DNS server and is the source for all these DNS queries. 

 

This happens every second and assuming that both queries are from the same device, it looks like it is a Google something. However I have no idea which device this.

Any hints to find the source?

 

Best 

 



This thread was automatically locked due to age.
  • 0

    Hi,

    I am not sure where you obtained that report from.

    If you open logviewer on the XG you will see where the DNS requests are coming from when you filter bt port 53.

    Also do you have the XG as part of your DNS trail?

    Ian

  • FormerMember
    0 FormerMember

    Hi Peter Mueller,

    Could you please check if you have Pharming Protection enabled under Web > General Settings> Advanced Settings > Enable Pharming Protection. Please check this KBA Sophos XG Firewall / UTM: How does Pharming protection work

    Thanks,

  • 0 in reply to rfcat_vk

    These logfiles are from the DNS server pihole.

    In Sophos XG 192.168.100.50 is set in DNS server. That means each client who does not directly contact the DNS on 192.168.100.50 goes via 192.168.100.1 to 192.168.100.50.

    So, there must be a client in 192.168.100.0 network which uses the Sophos XG as DNS server on 192.168.100.1 and Sophos XG DNS server contacts my external DNS server on 192.168.100.50 with these two requests. 

    Problem being is that I can't find the source via Sophos log files. If I filter for Port 53 it shows all DNS request from my clients to my external DNS server (as it should be) but no requests from clients to Sophos XG DNS on 192.168.100.50. 

     

     

     

    P.S.: Pharming Protection has already been activated

  • 0 in reply to Peter Mueller

    It can become complicated to find this source in XG, because this request most not be a single "DNS" Port 53 request by a client, instead it could be a HTTP Port 443 packet to XG and XG resolves the Website. 

    So you could start to perform a tcpdump, if you see those requests the at any time. This should be easy to find the client, if the clients sends normal Port 53 Packets. 

    tcpdump will work with certain filter and logic operators. 

    So start with  tcpdump -ni Interface port 53 and not host 192.168.100.1 

  • 0 in reply to LuCar Toni

    LuCar Toni said:

     

    So start with  tcpdump -ni Interface port 53 and not host 192.168.100.1 

     

    alright will do so. But shouldn't it be with the argument "dst host 192.168.100.1 and port 53". Since the client I am searching for is requesting a DNS resolve from 192.168.100.1 (Sophos XG)?

    However by doing it this way all I get are packets with source 192.168.100.50 and destination 192.168.100.1, which I assume are the replies to DNS requests from 192.168.100.1.

     

    Using "host not 192.168.100.1 and port 53" comes up with the same results: source is always 192.168.100.50 and destination 192.168.100.1.

    In case it is a HTTPS request, is there a way to further investigate?

     

    P.S.:

    based on the requested domains

    clients1.google.com and

    connectivitycheck.gstatic.com

    I assume it is a Google device we're talking about.

    nanopool.org however is very suspicious sind I don't do any coin mining.

     

     

     

  • FormerMember
    0 FormerMember in reply to Peter Mueller

    Hi Peter Mueller,

    If Pharming Protection is enabled, firewall will re-resolve the domain using its configured DNS server and if it is internal DNS server you will see source IP address as internal interface of the firewall. 

    Please check "Pharming Protection Enabled" and specific line 5 from the KBA Sophos XG Firewall / UTM: How does Pharming protection work.

    Thanks,

  • 0 in reply to FormerMember

    Hi Patel,

     

    I see your point but I don't get the connection to this case yet. If Pharming is enabled all requests should come from Sophos XG to the configured DNS Server, don't they? But in my case only these three domain requests come from Sophos XG.

    Furthermore, I deactivated Pharming and the requests keep on flooding my DNS server.

  • +1 in reply to Peter Mueller

    Alright, 

     

    I found the source of all these requests. In XG under Host & Services these domains were listed as FQDN Hosts. I don't really know why this was in there but I assume that I put it there in order to bypass the web proxy of XG.

    In this regards, I cleaned up Host & Services and deleted a huge amount of old entries not being used anymore.

     

    Best

    Peter