Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 8830 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[Application Filter] Google DNS registered risk level 5 (Torrent Clients P2P)

FoW

SFOS 16.01.0

Application Filter blocked DNS Forwarding my DNS Server.

Torrent Clients? Maybe something is wrong? 



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to FoW

    Uhm....Tomorrow I will check this configuration...however you should always allow required services instead of any. Also separate DNS service in one rule and http/https services in another and apply the app filter here.

  • 0 in reply to FoW

    Hi Harim, 

    We have checked with the same application filter policy, and found no issue while inquiring for DNS request . I have tested with a host system in LAN and XG as a Gateway appliance . You may verify the settings as per the snaps below .

    15:30:02.988986 PortB, OUT: IP 192.168.0.102.58523 > 8.8.8.8.53: 62154+ A? iprep2.t.ctmail.com. (37)
    15:30:03.017764 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.58523: 62154 2/0/0[|domain]
    15:30:05.905480 PortB, OUT: IP 192.168.0.102.7212 > 8.8.8.8.53: 6954+ A? resolver3.ast.ctmail.com. (42)
    15:30:05.922942 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.7212: 6954 2/0/0[|domain]
    15:30:07.431113 PortA, IN: IP 10.10.10.129.57530 > 8.8.8.8.53: 10+ A? amazon.com.localdomain. (40)
    15:30:07.431742 PortB, OUT: IP 192.168.0.102.57530 > 8.8.8.8.53: 10+ A? amazon.com.localdomain. (40)
    15:30:07.513609 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57530: 10 NXDomain 0/1/0 (115)
    15:30:07.514400 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57530: 10 NXDomain 0/1/0 (115)
    15:30:07.515267 PortA, IN: IP 10.10.10.129.57531 > 8.8.8.8.53: 11+ AAAA? amazon.com.localdomain. (40)
    15:30:07.515694 PortB, OUT: IP 192.168.0.102.57531 > 8.8.8.8.53: 11+ AAAA? amazon.com.localdomain. (40)
    15:30:07.605734 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57531: 11 NXDomain 0/1/0 (115)
    15:30:07.606124 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57531: 11 NXDomain 0/1/0 (115)
    15:30:07.607144 PortA, IN: IP 10.10.10.129.57532 > 8.8.8.8.53: 12+ A? amazon.com. (28)
    15:30:07.607638 PortB, OUT: IP 192.168.0.102.57532 > 8.8.8.8.53: 12+ A? amazon.com. (28)
    15:30:07.624622 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57532: 12 6/0/0 A 54.239.17.7,[|domain]
    15:30:07.625651 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57532: 12 6/0/0 A 54.239.17.7,[|domain]
    15:30:07.632001 PortA, IN: IP 10.10.10.129.57533 > 8.8.8.8.53: 13+ AAAA? amazon.com. (28)
    15:30:07.632817 PortB, OUT: IP 192.168.0.102.57533 > 8.8.8.8.53: 13+ AAAA? amazon.com. (28)
    15:30:07.710358 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57533: 13 0/1/0 (89)
    15:30:07.711161 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57533: 13 0/1/0 (89)
    15:30:11.373245 PortA, IN: IP 10.10.10.129.57534 > 8.8.8.8.53: 14+ A? snapdeal.com.localdomain. (42)
    15:30:11.374093 PortB, OUT: IP 192.168.0.102.57534 > 8.8.8.8.53: 14+ A? snapdeal.com.localdomain. (42)
    15:30:11.452475 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57534: 14 NXDomain 0/1/0 (117)
    15:30:11.453242 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57534: 14 NXDomain 0/1/0 (117)
    15:30:11.454081 PortA, IN: IP 10.10.10.129.57535 > 8.8.8.8.53: 15+ AAAA? snapdeal.com.localdomain. (42)
    15:30:11.454501 PortB, OUT: IP 192.168.0.102.57535 > 8.8.8.8.53: 15+ AAAA? snapdeal.com.localdomain. (42)
    15:30:11.536986 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57535: 15 NXDomain 0/1/0 (117)
    15:30:11.537453 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57535: 15 NXDomain 0/1/0 (117)
    15:30:11.538618 PortA, IN: IP 10.10.10.129.57536 > 8.8.8.8.53: 16+ A? snapdeal.com. (30)
    15:30:11.539109 PortB, OUT: IP 192.168.0.102.57536 > 8.8.8.8.53: 16+ A? snapdeal.com. (30)
    15:30:11.558550 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57536: 16 1/0/0 A 204.74.99.100 (46)
    15:30:11.559220 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57536: 16 1/0/0 A 204.74.99.100 (46)
    15:30:11.564395 PortA, IN: IP 10.10.10.129.57537 > 8.8.8.8.53: 17+ AAAA? snapdeal.com. (30)
    15:30:11.564910 PortB, OUT: IP 192.168.0.102.57537 > 8.8.8.8.53: 17+ AAAA? snapdeal.com. (30)
    15:30:11.582622 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57537: 17 0/1/0 (93)
    15:30:11.582993 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57537: 17 0/1/0 (93)
    15:30:35.294466 PortB, OUT: IP 192.168.0.102.33514 > 8.8.8.8.53: 24776+ A? download.ctmail.com. (37)
    15:30:35.313195 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.33514: 24776 1/0/0 (53)
    15:32:05.944246 PortB, OUT: IP 192.168.0.102.60844 > 8.8.8.8.53: 8661+ A? resolver5.ast.ctmail.com. (42)
    15:32:05.960975 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.60844: 8661 2/0/0[|domain]
    15:32:29.937633 PortA, IN: IP 10.10.10.129.57538 > 8.8.8.8.53: 1+ PTR? 8.8.8.8.in-addr.arpa. (38)
    15:32:29.938179 PortB, OUT: IP 192.168.0.102.57538 > 8.8.8.8.53: 1+ PTR? 8.8.8.8.in-addr.arpa. (38)
    15:32:30.024684 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57538: 1 1/0/0 (82)
    15:32:30.024890 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57538: 1 1/0/0 (82)
    15:32:36.135119 PortA, IN: IP 10.10.10.129.57539 > 8.8.8.8.53: 2+ A? hoosuit.com.localdomain. (41)
    15:32:36.135580 PortB, OUT: IP 192.168.0.102.57539 > 8.8.8.8.53: 2+ A? hoosuit.com.localdomain. (41)
    15:32:36.210727 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57539: 2 NXDomain 0/1/0 (116)
    15:32:36.211118 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57539: 2 NXDomain 0/1/0 (116)
    15:32:36.212139 PortA, IN: IP 10.10.10.129.57540 > 8.8.8.8.53: 3+ AAAA? hoosuit.com.localdomain. (41)
    15:32:36.212580 PortB, OUT: IP 192.168.0.102.57540 > 8.8.8.8.53: 3+ AAAA? hoosuit.com.localdomain. (41)
    15:32:36.286860 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57540: 3 NXDomain 0/1/0 (116)
    15:32:36.287726 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57540: 3 NXDomain 0/1/0 (116)
    15:32:36.288475 PortA, IN: IP 10.10.10.129.57541 > 8.8.8.8.53: 4+ A? hoosuit.com. (29)
    15:32:36.288966 PortB, OUT: IP 192.168.0.102.57541 > 8.8.8.8.53: 4+ A? hoosuit.com. (29)
    15:32:36.379554 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57541: 4 NXDomain 0/1/0 (102)
    15:32:36.379967 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57541: 4 NXDomain 0/1/0 (102)
    15:32:36.380924 PortA, IN: IP 10.10.10.129.57542 > 8.8.8.8.53: 5+ AAAA? hoosuit.com. (29)
    15:32:36.381514 PortB, OUT: IP 192.168.0.102.57542 > 8.8.8.8.53: 5+ AAAA? hoosuit.com. (29)
    15:32:36.458177 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57542: 5 NXDomain 0/1/0 (102)
    15:32:36.458534 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57542: 5 NXDomain 0/1/0 (102)
    15:32:44.571370 PortA, IN: IP 10.10.10.129.57543 > 8.8.8.8.53: 1+ PTR? 8.8.8.8.in-addr.arpa. (38)
    15:32:44.571683 PortB, OUT: IP 192.168.0.102.57543 > 8.8.8.8.53: 1+ PTR? 8.8.8.8.in-addr.arpa. (38)
    15:32:48.822753 PortA, IN: IP 10.10.10.129.57544 > 8.8.8.8.53: 2+ A? google.co.localdomain. (39)
    15:32:48.823201 PortB, OUT: IP 192.168.0.102.57544 > 8.8.8.8.53: 2+ A? google.co.localdomain. (39)
    15:32:48.907618 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57544: 2 NXDomain 0/1/0 (114)
    15:32:48.907962 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57544: 2 NXDomain 0/1/0 (114)
    15:32:48.909405 PortA, IN: IP 10.10.10.129.57545 > 8.8.8.8.53: 3+ AAAA? google.co.localdomain. (39)
    15:32:48.910189 PortB, OUT: IP 192.168.0.102.57545 > 8.8.8.8.53: 3+ AAAA? google.co.localdomain. (39)
    15:32:48.984099 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57545: 3 NXDomain 0/1/0 (114)
    15:32:48.984581 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57545: 3 NXDomain 0/1/0 (114)
    15:32:48.985652 PortA, IN: IP 10.10.10.129.57546 > 8.8.8.8.53: 4+ A? google.co. (27)
    15:32:48.986104 PortB, OUT: IP 192.168.0.102.57546 > 8.8.8.8.53: 4+ A? google.co. (27)
    15:32:49.081813 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57546: 4 1/0/0 A 216.58.199.174 (43)
    15:32:49.082206 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57546: 4 1/0/0 A 216.58.199.174 (43)
    15:32:49.091216 PortA, IN: IP 10.10.10.129.57547 > 8.8.8.8.53: 5+ AAAA? google.co. (27)
    15:32:49.091697 PortB, OUT: IP 192.168.0.102.57547 > 8.8.8.8.53: 5+ AAAA? google.co. (27)
    15:32:49.178232 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57547: 5 1/0/0 AAAA[|domain]
    15:32:49.178790 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57547: 5 1/0/0 AAAA[|domain]
    15:32:55.854133 PortA, IN: IP 10.10.10.129.57548 > 8.8.8.8.53: 6+ A? amazon.in.localdomain. (39)
    15:32:55.854617 PortB, OUT: IP 192.168.0.102.57548 > 8.8.8.8.53: 6+ A? amazon.in.localdomain. (39)
    15:32:55.927922 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57548: 6 NXDomain 0/1/0 (114)
    15:32:55.928321 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57548: 6 NXDomain 0/1/0 (114)
    15:32:55.929466 PortA, IN: IP 10.10.10.129.57549 > 8.8.8.8.53: 7+ AAAA? amazon.in.localdomain. (39)
    15:32:55.929976 PortB, OUT: IP 192.168.0.102.57549 > 8.8.8.8.53: 7+ AAAA? amazon.in.localdomain. (39)
    15:32:56.020290 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57549: 7 NXDomain 0/1/0 (114)
    15:32:56.020667 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57549: 7 NXDomain 0/1/0 (114)
    15:32:56.021856 PortA, IN: IP 10.10.10.129.57550 > 8.8.8.8.53: 8+ A? amazon.in. (27)
    15:32:56.022392 PortB, OUT: IP 192.168.0.102.57550 > 8.8.8.8.53: 8+ A? amazon.in. (27)
    15:32:56.044650 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57550: 8 3/0/0 A 54.239.32.8,[|domain]
    15:32:56.045284 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57550: 8 3/0/0 A 54.239.32.8,[|domain]
    15:32:56.054131 PortA, IN: IP 10.10.10.129.57551 > 8.8.8.8.53: 9+ AAAA? amazon.in. (27)
    15:32:56.055461 PortB, OUT: IP 192.168.0.102.57551 > 8.8.8.8.53: 9+ AAAA? amazon.in. (27)
    15:32:56.072284 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57551: 9 0/1/0 (98)
    15:32:56.072656 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57551: 9 0/1/0 (98)
    15:33:03.049831 PortB, OUT: IP 192.168.0.102.40173 > 8.8.8.8.53: 24833+ A? ipres.1.geo.ctmail.com. (40)
    15:33:03.451696 PortA, IN: IP 10.10.10.129.57552 > 8.8.8.8.53: 10+ A? facebook.com.localdomain. (42)
    15:33:03.451970 PortB, OUT: IP 192.168.0.102.57552 > 8.8.8.8.53: 10+ A? facebook.com.localdomain. (42)
    15:33:05.460751 PortA, IN: IP 10.10.10.129.57553 > 8.8.8.8.53: 11+ AAAA? facebook.com.localdomain. (42)
    15:33:05.461233 PortB, OUT: IP 192.168.0.102.57553 > 8.8.8.8.53: 11+ AAAA? facebook.com.localdomain. (42)
    15:33:05.535264 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57553: 11 NXDomain 0/1/0 (117)
    15:33:05.536044 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57553: 11 NXDomain 0/1/0 (117)
    15:33:05.536883 PortA, IN: IP 10.10.10.129.57554 > 8.8.8.8.53: 12+ A? facebook.com. (30)
    15:33:05.537349 PortB, OUT: IP 192.168.0.102.57554 > 8.8.8.8.53: 12+ A? facebook.com. (30)
    15:33:05.554048 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57554: 12 1/0/0 A 31.13.76.68 (46)
    15:33:05.554550 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57554: 12 1/0/0 A 31.13.76.68 (46)
    15:33:05.558440 PortA, IN: IP 10.10.10.129.57555 > 8.8.8.8.53: 13+ AAAA? facebook.com. (30)
    15:33:05.558939 PortB, OUT: IP 192.168.0.102.57555 > 8.8.8.8.53: 13+ AAAA? facebook.com. (30)
    15:33:05.579843 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57555: 13 1/0/0 AAAA[|domain]
    15:33:05.580372 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57555: 13 1/0/0 AAAA[|domain]
    15:33:05.973000 PortB, OUT: IP 192.168.0.102.43246 > 8.8.8.8.53: 23575+ A? resolver1.ast.ctmail.com. (42)
    15:33:06.061189 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.43246: 23575 2/0/0[|domain]
    15:33:06.061562 PortB, OUT: IP 192.168.0.102.4138 > 4.2.2.2.53: 56893+ A? ipres.1.geo.ctmail.com. (40)
    15:33:06.280717 PortB, IN: IP 4.2.2.2.53 > 192.168.0.102.4138: 56893 1/0/0 (56)
    15:33:09.274353 PortA, IN: IP 10.10.10.129.57556 > 8.8.8.8.53: 14+ A? facebook.com.localdomain. (42)
    15:33:09.274653 PortB, OUT: IP 192.168.0.102.57556 > 8.8.8.8.53: 14+ A? facebook.com.localdomain. (42)
    15:33:09.359238 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57556: 14 NXDomain 0/1/0 (117)
    15:33:09.359735 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57556: 14 NXDomain 0/1/0 (117)
    15:33:09.360738 PortA, IN: IP 10.10.10.129.57557 > 8.8.8.8.53: 15+ AAAA? facebook.com.localdomain. (42)
    15:33:09.361177 PortB, OUT: IP 192.168.0.102.57557 > 8.8.8.8.53: 15+ AAAA? facebook.com.localdomain. (42)
    15:33:09.436008 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57557: 15 NXDomain 0/1/0 (117)
    15:33:09.436379 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57557: 15 NXDomain 0/1/0 (117)
    15:33:09.437348 PortA, IN: IP 10.10.10.129.57558 > 8.8.8.8.53: 16+ A? facebook.com. (30)
    15:33:09.437837 PortB, OUT: IP 192.168.0.102.57558 > 8.8.8.8.53: 16+ A? facebook.com. (30)
    15:33:09.453002 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57558: 16 1/0/0 A 31.13.76.68 (46)
    15:33:09.454106 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57558: 16 1/0/0 A 31.13.76.68 (46)
    15:33:09.458465 PortA, IN: IP 10.10.10.129.57559 > 8.8.8.8.53: 17+ AAAA? facebook.com. (30)
    15:33:09.459001 PortB, OUT: IP 192.168.0.102.57559 > 8.8.8.8.53: 17+ AAAA? facebook.com. (30)
    15:33:09.477728 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57559: 17 1/0/0 AAAA[|domain]
    15:33:09.478155 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57559: 17 1/0/0 AAAA[|domain]

     

     

    Tested with IPS and Application signatures: 3.12.97. 

    Kindly verify the application you are using and also the IPS version , you may check via Backup and Firmware > Pattern Updates

    Thanks and regards

    Aditya Patel \ Network and Security Engineer

  • +1 in reply to Aditya Patel

    Oh! maybe it's my fault. So sorry to inconvenience.

    Wonderful. Application Filter is good working. But log view can be more smart, I think.

    Summary is as follows incidents.

    1. Transmission-Qt request DN to NAS (NAS: allow all apps.)
    2. NAS request DN to Domain Controller
    3. Domain Controller request DN to Google DNS
    4. XG Firewall were recognized and blocked requests only from the Trnasmission-Qt.
    5. XG Firewll were logged history.  (src: Domain Controller dst: Google DNS app: torrent client p2p)
  • 0 in reply to FoW

    HI Harim, 

    Glad the issue is resolved from your end , Keep us posted for any other issue . 

    Thanks and Regards

    Aditya Patel | Network and Security Engineer.