Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 29 subscribers
  • Views 2133 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Constant DNS lookups for google domains

smrbrts

My OpenDNS console flagged my system as showing BOTNET activity. I began to review the DNS lookups for the account and while I don't know if this is the cause of the flagging the account for botnet activity, I found that I've got some device constantly doing DNS lookups on lots of google domains. So I mirrored a port on my switch and did a Wireshark capture and find that it is the new XG Firewall that I just stood up that is doing this. A quick search in the forum found a post about a year ago that included a response that read, "These are preconfigured fqdn hosts for Chromebook SSO..." 

Why would a firewall have this enabled by default, and is there an easy way to turn this off? The suggestion in the old thread was to delete the corresponding FQDN Hosts but there are pages and pages of them for these google domain names. I don't even own a Chromebook. This seems like it should be a bug, not a feature. Why would I ever want my firewall doing hundreds of completely unnecessary DNS lookups day after day? I'm running with a brand new setup and haven't done anything but change the WAN port since installing this. This is a default configuration doing the DNS queries.



This thread was automatically locked due to age.
  • 0

    It looks like these domains are all part of the "SafeSearch enforcement" FQDN Group, so that doesn't read like something related to Chromebook SSO. Maybe that post from a year ago was wrong.

  • 0

    Some days ago I noticed our XG FW frequently contacting google DNS servers as well. In our case it looks like it has something to do with uplink monitoring, even we only have one WAN gateway configured. I asked Sophos support where to find this "google check" setting in the configuration because I cannot find it - for the uplink monitoring we have manually configured an other host IP to check.

    I suppose it has something to do with uplink monitoring, because when those XG requests to google failed because of an other upstream firewall in front of the XG which denied those requests at some point, the XG repeatedly began reporting that the XGs WAN gateway is down.

    But as with almost all my open cases at Sophos the question is unanswered since Oct 5th 2020.

  • 0 in reply to LHerzog

    Hi,

    the XG does not have a default check inbuilt, that would be something you have configured  in network -> wan link monitoring.

    Do you use google dns as you network devices dns and the XG uses it as well?
    ian

  • 0 in reply to rfcat_vk

    Hi,

    in my case, the XG does not use google DNS for lookups, the majority of LAN devices use internal DNS servers or the XG, eventually some may be configured with 8.8.8.8.

    And I mentioned the uplink monitoring - aka WAN link monitoring - its using upstream firewall, surely not google.

    btw our case ID here is 03194856

  • 0 in reply to LHerzog

    Hi,

    where does logviewer show all the google dns traffic originating from? I have devices on my network where it is hard coded by the manufacturer and needs a DNat to redirect it.

    ian

  • 0 in reply to rfcat_vk

    Hi,

    and me are expecting the firewall to make the DNS requests itself  to google DNS servers. Not LAN devices.

  • 0 in reply to LHerzog

    What does the XG logviewer show as the source for the dns queries?

  • 0 in reply to LHerzog

    Why should this happen? You could use NAT to resolve such scenarios, but if the client asks for a DNS query to Google, it will do it. You are looking for a Sanctioned DNS service. a feature to allow and deny DNS traffic, going to certain DNS services.

  • 0 in reply to LuCar Toni

    At the time I took the trace there were no clients behind the XG. The XG is still being setup/tested so the WAN port is connected to my 24 port switch. At most there has been a single MacBook behind the XG. The queries go from XG to OpenDNS and are lookups for names that are listed in the FQDN Hosts list and in the FQDN group SafeSearch Enforcement. Unless you are monitoring your external DNS lookups you wouldn't see this.

    The only change I intentionally made from the default setup wizard was changing the port for the WAN zone from port 2 to port 8. I'll look at WAN link monitoring and see if there is anything that looks like it could have impact, but on the surface this looks like it is related to SafeSearch enforcement, and the behavior seems pretty unexpected.

  • 0 in reply to LuCar Toni

    I've just let run a tcpdump on the XG for some time and could not find traffic to google DNS servers by ICMP or port 53 sent by the firewall itself.
    Maybe this was only a temporary issue caused by IPS updates on the Upstream (Sophos) Firewall that blocked ICMP to 8.8.8.8 from the XG firewall in the moments the XG reported thegateway as down.