Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 29 subscribers
  • Views 2604 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG trying to connect to unknown DNS servers, which are not configured

Dwayne Parker

Hi,

 

I am running a Sophos XG behind an other Firewall.

I am only allowing DNS connections to the DNS server, which I have configured in XG. Today I see a overwhelming mass of blocked attempts from the XG to connect to unknown IP addresses on Port 53/ Service DNS.

Since there are no Logs about these connections found in XG, and all connections to DNS from devices behind XG are blocked, there is actually some evidence that these connections are initiated from the XG it self.

Some of these IPs resolve to *.root-servers.net, others are not resolvable.

 

Is that a expected behaviour of XG?

I am running XG 18.0.1-MR1

 

Regards

Dwayne Parker



This thread was automatically locked due to age.
  • 0 in reply to Dom Nik

    Actually does DNS request are caused by the x.000 FQDN hosts, which are created per default on XG.

     

     

    As XG tries to hold them into the cache, you will find dozens of DNS requests to keep all of them saved for quicker response. 

    Try to delete them and it should be "quite". 

    As i looked at those requests for one day, i found only ... few MB per day DNS requests, which is not worth talking about. 

  • 0 in reply to Dwayne Parker

    Hello Dwayne,

    Oh I see, thank you.

    Just wanted to confirm the queries are like this which are legit queries 

    16:43:46.020570 Port2, OUT: Out 7c:5a:1c:79:37:98 ethertype IPv4 (0x0800), length 75: 99.199.65.43.59584 > 192.168.0.1.53: 61784+ A? www.google.az. (31)
    16:43:48.035120 Port2, OUT: Out 7c:5a:1c:79:37:98 ethertype IPv4 (0x0800), length 86: 99.199.65.43.56620 > 8.8.8.8.53: 5812+ A? dual-a-0001.a-msedge.net. (42)
    16:43:48.035189 Port2, OUT: Out 7c:5a:1c:79:37:98 ethertype IPv4 (0x0800), length 75: 99.199.65.43.14661 > 8.8.8.8.53: 13225+ A? www.google.fr. (31)
    16:43:48.039292 Port2, IN: In a4:7b:2c:4f:1f:b5 ethertype IPv4 (0x0800), length 118: 8.8.8.8.53 > 99.199.65.43.56620: 5812 2/0/0 A 204.79.197.200, A 13.107.21.200 (74)
    16:43:48.039492 lo, IN: In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 195: 127.0.0.1.53 > 127.0.0.1.2155: 17476 4/0/0 CNAME a-0001.a-afdentry.net.trafficmanager.net., CNAME dual-a-0001.a-msedge.net., A 204.79.197.200, A 13.107.21.200 (151)
    16:43:48.039542 lo, IN: In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 173: 127.0.0.1.53 > 127.0.0.1.44926: 17476 4/0/0 CNAME www2-bing-com.dual-a-0001.a-msedge.net., CNAME dual-a-0001.a-msedge.net., A 204.79.197.200, A 13.107.21.200 (129)
    16:43:48.039583 lo, IN: In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 188: 127.0.0.1.53 > 127.0.0.1.47641: 17476 4/0/0 CNAME www4-bing-com.trafficmanager.net., CNAME dual-a-0001.a-msedge.net., A 204.79.197.200, A 13.107.21.200 (144)
    16:43:48.039630 lo, IN: In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 196: 127.0.0.1.53 > 127.0.0.1.49593: 17476 4/0/0 CNAME a-0001.a-afdentry.net.trafficmanager.net., CNAME dual-a-0001.a-msedge.net., A 204.79.197.200, A 13.107.21.200 (152)
    16:43:48.047537 Port2, IN: In a4:7b:2c:4f:1f:b5 ethertype IPv4 (0x0800), length 91: 8.8.8.8.53 > 99.199.65.43.14661: 13225 1/0/0 A 216.58.217.35 (47)
    16:43:48.047617 lo, IN: In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 91: 127.0.0.1.53 > 127.0.0.1.54438: 17476 1/0/0 A 216.58.217.35 (47)
    16:43:49.040360 Port2, OUT: Out 7c:5a:1c:79:37:98 ethertype IPv4 (0x0800), length 75: 99.199.65.43.48345 > 8.8.8.8.53: 12366+ A? www.google.az. (31)
    16:43:49.054866 Port2, IN: In a4:7b:2c:4f:1f:b5 ethertype IPv4 (0x0800), length 91: 8.8.8.8.53 > 99.199.65.43.48345: 12366 1/0/0 A 216.58.217.35 (47)
    16:43:49.055001 lo, IN: In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 91: 127.0.0.1.53 > 127.0.0.1.16423: 0 1/0/0 A 216.58.217.35 (47)
    16:43:50.261918 lo, IN: In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 79: 127.0.0.1.36334 > 127.0.0.1.53: 43433+ A? www.google.com.au. (35)
    16:43:50.262100 lo, IN: In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 75: 127.0.0.1.33605 > 127.0.0.1.53: 43433+ A? www.google.pt. (31)
    16:43:50.262295 Port2, OUT: Out 7c:5a:1c:79:37:98 ethertype IPv4 (0x0800), length 79: 99.199.65.43.10191 > 192.168.0.1.53: 20200+ A? www.google.com.au. (35)

    and those are queries to the DNS configured in the XG 

    16:43:46.020570 Port2, OUT: Out 7c:5a:1c:79:37:98 ethertype IPv4 (0x0800), length 75: 99.199.65.43.59584 > 192.168.0.1.53: 61784+ A? www.google.az. (31)
    16:43:48.035120 Port2, OUT: Out 7c:5a:1c:79:37:98 ethertype IPv4 (0x0800), length 86: 99.199.65.43.56620 > 8.8.8.8.53: 5812+ A? dual-a-0001.a-msedge.net. (42)

    Regards,