Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Constant DNS lookups for google domains

My OpenDNS console flagged my system as showing BOTNET activity. I began to review the DNS lookups for the account and while I don't know if this is the cause of the flagging the account for botnet activity, I found that I've got some device constantly doing DNS lookups on lots of google domains. So I mirrored a port on my switch and did a Wireshark capture and find that it is the new XG Firewall that I just stood up that is doing this. A quick search in the forum found a post about a year ago that included a response that read, "These are preconfigured fqdn hosts for Chromebook SSO..." 

Why would a firewall have this enabled by default, and is there an easy way to turn this off? The suggestion in the old thread was to delete the corresponding FQDN Hosts but there are pages and pages of them for these google domain names. I don't even own a Chromebook. This seems like it should be a bug, not a feature. Why would I ever want my firewall doing hundreds of completely unnecessary DNS lookups day after day? I'm running with a brand new setup and haven't done anything but change the WAN port since installing this. This is a default configuration doing the DNS queries.



This thread was automatically locked due to age.
Parents
  • Some days ago I noticed our XG FW frequently contacting google DNS servers as well. In our case it looks like it has something to do with uplink monitoring, even we only have one WAN gateway configured. I asked Sophos support where to find this "google check" setting in the configuration because I cannot find it - for the uplink monitoring we have manually configured an other host IP to check.

    I suppose it has something to do with uplink monitoring, because when those XG requests to google failed because of an other upstream firewall in front of the XG which denied those requests at some point, the XG repeatedly began reporting that the XGs WAN gateway is down.

    But as with almost all my open cases at Sophos the question is unanswered since Oct 5th 2020.

  • Hi,

    the XG does not have a default check inbuilt, that would be something you have configured  in network -> wan link monitoring.

    Do you use google dns as you network devices dns and the XG uses it as well?
    ian

  • Hi,

    in my case, the XG does not use google DNS for lookups, the majority of LAN devices use internal DNS servers or the XG, eventually some may be configured with 8.8.8.8.

    And I mentioned the uplink monitoring - aka WAN link monitoring - its using upstream firewall, surely not google.

    btw our case ID here is 03194856

  • Hi,

    where does logviewer show all the google dns traffic originating from? I have devices on my network where it is hard coded by the manufacturer and needs a DNat to redirect it.

    ian

  • Hi,

    and me are expecting the firewall to make the DNS requests itself  to google DNS servers. Not LAN devices.

  • What does the XG logviewer show as the source for the dns queries?

Reply Children
No Data