Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 8830 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[Application Filter] Google DNS registered risk level 5 (Torrent Clients P2P)

FoW

SFOS 16.01.0

Application Filter blocked DNS Forwarding my DNS Server.

Torrent Clients? Maybe something is wrong? 



This thread was automatically locked due to age.
Parents
  • 0

    Harim,

    can you share your Firewall Policies?

    Thanks

  • 0 in reply to FoW

    Uhm....Tomorrow I will check this configuration...however you should always allow required services instead of any. Also separate DNS service in one rule and http/https services in another and apply the app filter here.

  • 0 in reply to FoW

    Hi Harim, 

    We have checked with the same application filter policy, and found no issue while inquiring for DNS request . I have tested with a host system in LAN and XG as a Gateway appliance . You may verify the settings as per the snaps below .

    15:30:02.988986 PortB, OUT: IP 192.168.0.102.58523 > 8.8.8.8.53: 62154+ A? iprep2.t.ctmail.com. (37)
    15:30:03.017764 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.58523: 62154 2/0/0[|domain]
    15:30:05.905480 PortB, OUT: IP 192.168.0.102.7212 > 8.8.8.8.53: 6954+ A? resolver3.ast.ctmail.com. (42)
    15:30:05.922942 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.7212: 6954 2/0/0[|domain]
    15:30:07.431113 PortA, IN: IP 10.10.10.129.57530 > 8.8.8.8.53: 10+ A? amazon.com.localdomain. (40)
    15:30:07.431742 PortB, OUT: IP 192.168.0.102.57530 > 8.8.8.8.53: 10+ A? amazon.com.localdomain. (40)
    15:30:07.513609 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57530: 10 NXDomain 0/1/0 (115)
    15:30:07.514400 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57530: 10 NXDomain 0/1/0 (115)
    15:30:07.515267 PortA, IN: IP 10.10.10.129.57531 > 8.8.8.8.53: 11+ AAAA? amazon.com.localdomain. (40)
    15:30:07.515694 PortB, OUT: IP 192.168.0.102.57531 > 8.8.8.8.53: 11+ AAAA? amazon.com.localdomain. (40)
    15:30:07.605734 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57531: 11 NXDomain 0/1/0 (115)
    15:30:07.606124 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57531: 11 NXDomain 0/1/0 (115)
    15:30:07.607144 PortA, IN: IP 10.10.10.129.57532 > 8.8.8.8.53: 12+ A? amazon.com. (28)
    15:30:07.607638 PortB, OUT: IP 192.168.0.102.57532 > 8.8.8.8.53: 12+ A? amazon.com. (28)
    15:30:07.624622 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57532: 12 6/0/0 A 54.239.17.7,[|domain]
    15:30:07.625651 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57532: 12 6/0/0 A 54.239.17.7,[|domain]
    15:30:07.632001 PortA, IN: IP 10.10.10.129.57533 > 8.8.8.8.53: 13+ AAAA? amazon.com. (28)
    15:30:07.632817 PortB, OUT: IP 192.168.0.102.57533 > 8.8.8.8.53: 13+ AAAA? amazon.com. (28)
    15:30:07.710358 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57533: 13 0/1/0 (89)
    15:30:07.711161 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57533: 13 0/1/0 (89)
    15:30:11.373245 PortA, IN: IP 10.10.10.129.57534 > 8.8.8.8.53: 14+ A? snapdeal.com.localdomain. (42)
    15:30:11.374093 PortB, OUT: IP 192.168.0.102.57534 > 8.8.8.8.53: 14+ A? snapdeal.com.localdomain. (42)
    15:30:11.452475 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57534: 14 NXDomain 0/1/0 (117)
    15:30:11.453242 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57534: 14 NXDomain 0/1/0 (117)
    15:30:11.454081 PortA, IN: IP 10.10.10.129.57535 > 8.8.8.8.53: 15+ AAAA? snapdeal.com.localdomain. (42)
    15:30:11.454501 PortB, OUT: IP 192.168.0.102.57535 > 8.8.8.8.53: 15+ AAAA? snapdeal.com.localdomain. (42)
    15:30:11.536986 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57535: 15 NXDomain 0/1/0 (117)
    15:30:11.537453 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57535: 15 NXDomain 0/1/0 (117)
    15:30:11.538618 PortA, IN: IP 10.10.10.129.57536 > 8.8.8.8.53: 16+ A? snapdeal.com. (30)
    15:30:11.539109 PortB, OUT: IP 192.168.0.102.57536 > 8.8.8.8.53: 16+ A? snapdeal.com. (30)
    15:30:11.558550 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57536: 16 1/0/0 A 204.74.99.100 (46)
    15:30:11.559220 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57536: 16 1/0/0 A 204.74.99.100 (46)
    15:30:11.564395 PortA, IN: IP 10.10.10.129.57537 > 8.8.8.8.53: 17+ AAAA? snapdeal.com. (30)
    15:30:11.564910 PortB, OUT: IP 192.168.0.102.57537 > 8.8.8.8.53: 17+ AAAA? snapdeal.com. (30)
    15:30:11.582622 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57537: 17 0/1/0 (93)
    15:30:11.582993 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57537: 17 0/1/0 (93)
    15:30:35.294466 PortB, OUT: IP 192.168.0.102.33514 > 8.8.8.8.53: 24776+ A? download.ctmail.com. (37)
    15:30:35.313195 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.33514: 24776 1/0/0 (53)
    15:32:05.944246 PortB, OUT: IP 192.168.0.102.60844 > 8.8.8.8.53: 8661+ A? resolver5.ast.ctmail.com. (42)
    15:32:05.960975 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.60844: 8661 2/0/0[|domain]
    15:32:29.937633 PortA, IN: IP 10.10.10.129.57538 > 8.8.8.8.53: 1+ PTR? 8.8.8.8.in-addr.arpa. (38)
    15:32:29.938179 PortB, OUT: IP 192.168.0.102.57538 > 8.8.8.8.53: 1+ PTR? 8.8.8.8.in-addr.arpa. (38)
    15:32:30.024684 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57538: 1 1/0/0 (82)
    15:32:30.024890 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57538: 1 1/0/0 (82)
    15:32:36.135119 PortA, IN: IP 10.10.10.129.57539 > 8.8.8.8.53: 2+ A? hoosuit.com.localdomain. (41)
    15:32:36.135580 PortB, OUT: IP 192.168.0.102.57539 > 8.8.8.8.53: 2+ A? hoosuit.com.localdomain. (41)
    15:32:36.210727 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57539: 2 NXDomain 0/1/0 (116)
    15:32:36.211118 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57539: 2 NXDomain 0/1/0 (116)
    15:32:36.212139 PortA, IN: IP 10.10.10.129.57540 > 8.8.8.8.53: 3+ AAAA? hoosuit.com.localdomain. (41)
    15:32:36.212580 PortB, OUT: IP 192.168.0.102.57540 > 8.8.8.8.53: 3+ AAAA? hoosuit.com.localdomain. (41)
    15:32:36.286860 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57540: 3 NXDomain 0/1/0 (116)
    15:32:36.287726 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57540: 3 NXDomain 0/1/0 (116)
    15:32:36.288475 PortA, IN: IP 10.10.10.129.57541 > 8.8.8.8.53: 4+ A? hoosuit.com. (29)
    15:32:36.288966 PortB, OUT: IP 192.168.0.102.57541 > 8.8.8.8.53: 4+ A? hoosuit.com. (29)
    15:32:36.379554 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57541: 4 NXDomain 0/1/0 (102)
    15:32:36.379967 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57541: 4 NXDomain 0/1/0 (102)
    15:32:36.380924 PortA, IN: IP 10.10.10.129.57542 > 8.8.8.8.53: 5+ AAAA? hoosuit.com. (29)
    15:32:36.381514 PortB, OUT: IP 192.168.0.102.57542 > 8.8.8.8.53: 5+ AAAA? hoosuit.com. (29)
    15:32:36.458177 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57542: 5 NXDomain 0/1/0 (102)
    15:32:36.458534 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57542: 5 NXDomain 0/1/0 (102)
    15:32:44.571370 PortA, IN: IP 10.10.10.129.57543 > 8.8.8.8.53: 1+ PTR? 8.8.8.8.in-addr.arpa. (38)
    15:32:44.571683 PortB, OUT: IP 192.168.0.102.57543 > 8.8.8.8.53: 1+ PTR? 8.8.8.8.in-addr.arpa. (38)
    15:32:48.822753 PortA, IN: IP 10.10.10.129.57544 > 8.8.8.8.53: 2+ A? google.co.localdomain. (39)
    15:32:48.823201 PortB, OUT: IP 192.168.0.102.57544 > 8.8.8.8.53: 2+ A? google.co.localdomain. (39)
    15:32:48.907618 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57544: 2 NXDomain 0/1/0 (114)
    15:32:48.907962 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57544: 2 NXDomain 0/1/0 (114)
    15:32:48.909405 PortA, IN: IP 10.10.10.129.57545 > 8.8.8.8.53: 3+ AAAA? google.co.localdomain. (39)
    15:32:48.910189 PortB, OUT: IP 192.168.0.102.57545 > 8.8.8.8.53: 3+ AAAA? google.co.localdomain. (39)
    15:32:48.984099 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57545: 3 NXDomain 0/1/0 (114)
    15:32:48.984581 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57545: 3 NXDomain 0/1/0 (114)
    15:32:48.985652 PortA, IN: IP 10.10.10.129.57546 > 8.8.8.8.53: 4+ A? google.co. (27)
    15:32:48.986104 PortB, OUT: IP 192.168.0.102.57546 > 8.8.8.8.53: 4+ A? google.co. (27)
    15:32:49.081813 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57546: 4 1/0/0 A 216.58.199.174 (43)
    15:32:49.082206 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57546: 4 1/0/0 A 216.58.199.174 (43)
    15:32:49.091216 PortA, IN: IP 10.10.10.129.57547 > 8.8.8.8.53: 5+ AAAA? google.co. (27)
    15:32:49.091697 PortB, OUT: IP 192.168.0.102.57547 > 8.8.8.8.53: 5+ AAAA? google.co. (27)
    15:32:49.178232 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57547: 5 1/0/0 AAAA[|domain]
    15:32:49.178790 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57547: 5 1/0/0 AAAA[|domain]
    15:32:55.854133 PortA, IN: IP 10.10.10.129.57548 > 8.8.8.8.53: 6+ A? amazon.in.localdomain. (39)
    15:32:55.854617 PortB, OUT: IP 192.168.0.102.57548 > 8.8.8.8.53: 6+ A? amazon.in.localdomain. (39)
    15:32:55.927922 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57548: 6 NXDomain 0/1/0 (114)
    15:32:55.928321 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57548: 6 NXDomain 0/1/0 (114)
    15:32:55.929466 PortA, IN: IP 10.10.10.129.57549 > 8.8.8.8.53: 7+ AAAA? amazon.in.localdomain. (39)
    15:32:55.929976 PortB, OUT: IP 192.168.0.102.57549 > 8.8.8.8.53: 7+ AAAA? amazon.in.localdomain. (39)
    15:32:56.020290 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57549: 7 NXDomain 0/1/0 (114)
    15:32:56.020667 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57549: 7 NXDomain 0/1/0 (114)
    15:32:56.021856 PortA, IN: IP 10.10.10.129.57550 > 8.8.8.8.53: 8+ A? amazon.in. (27)
    15:32:56.022392 PortB, OUT: IP 192.168.0.102.57550 > 8.8.8.8.53: 8+ A? amazon.in. (27)
    15:32:56.044650 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57550: 8 3/0/0 A 54.239.32.8,[|domain]
    15:32:56.045284 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57550: 8 3/0/0 A 54.239.32.8,[|domain]
    15:32:56.054131 PortA, IN: IP 10.10.10.129.57551 > 8.8.8.8.53: 9+ AAAA? amazon.in. (27)
    15:32:56.055461 PortB, OUT: IP 192.168.0.102.57551 > 8.8.8.8.53: 9+ AAAA? amazon.in. (27)
    15:32:56.072284 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57551: 9 0/1/0 (98)
    15:32:56.072656 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57551: 9 0/1/0 (98)
    15:33:03.049831 PortB, OUT: IP 192.168.0.102.40173 > 8.8.8.8.53: 24833+ A? ipres.1.geo.ctmail.com. (40)
    15:33:03.451696 PortA, IN: IP 10.10.10.129.57552 > 8.8.8.8.53: 10+ A? facebook.com.localdomain. (42)
    15:33:03.451970 PortB, OUT: IP 192.168.0.102.57552 > 8.8.8.8.53: 10+ A? facebook.com.localdomain. (42)
    15:33:05.460751 PortA, IN: IP 10.10.10.129.57553 > 8.8.8.8.53: 11+ AAAA? facebook.com.localdomain. (42)
    15:33:05.461233 PortB, OUT: IP 192.168.0.102.57553 > 8.8.8.8.53: 11+ AAAA? facebook.com.localdomain. (42)
    15:33:05.535264 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57553: 11 NXDomain 0/1/0 (117)
    15:33:05.536044 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57553: 11 NXDomain 0/1/0 (117)
    15:33:05.536883 PortA, IN: IP 10.10.10.129.57554 > 8.8.8.8.53: 12+ A? facebook.com. (30)
    15:33:05.537349 PortB, OUT: IP 192.168.0.102.57554 > 8.8.8.8.53: 12+ A? facebook.com. (30)
    15:33:05.554048 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57554: 12 1/0/0 A 31.13.76.68 (46)
    15:33:05.554550 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57554: 12 1/0/0 A 31.13.76.68 (46)
    15:33:05.558440 PortA, IN: IP 10.10.10.129.57555 > 8.8.8.8.53: 13+ AAAA? facebook.com. (30)
    15:33:05.558939 PortB, OUT: IP 192.168.0.102.57555 > 8.8.8.8.53: 13+ AAAA? facebook.com. (30)
    15:33:05.579843 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57555: 13 1/0/0 AAAA[|domain]
    15:33:05.580372 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57555: 13 1/0/0 AAAA[|domain]
    15:33:05.973000 PortB, OUT: IP 192.168.0.102.43246 > 8.8.8.8.53: 23575+ A? resolver1.ast.ctmail.com. (42)
    15:33:06.061189 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.43246: 23575 2/0/0[|domain]
    15:33:06.061562 PortB, OUT: IP 192.168.0.102.4138 > 4.2.2.2.53: 56893+ A? ipres.1.geo.ctmail.com. (40)
    15:33:06.280717 PortB, IN: IP 4.2.2.2.53 > 192.168.0.102.4138: 56893 1/0/0 (56)
    15:33:09.274353 PortA, IN: IP 10.10.10.129.57556 > 8.8.8.8.53: 14+ A? facebook.com.localdomain. (42)
    15:33:09.274653 PortB, OUT: IP 192.168.0.102.57556 > 8.8.8.8.53: 14+ A? facebook.com.localdomain. (42)
    15:33:09.359238 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57556: 14 NXDomain 0/1/0 (117)
    15:33:09.359735 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57556: 14 NXDomain 0/1/0 (117)
    15:33:09.360738 PortA, IN: IP 10.10.10.129.57557 > 8.8.8.8.53: 15+ AAAA? facebook.com.localdomain. (42)
    15:33:09.361177 PortB, OUT: IP 192.168.0.102.57557 > 8.8.8.8.53: 15+ AAAA? facebook.com.localdomain. (42)
    15:33:09.436008 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57557: 15 NXDomain 0/1/0 (117)
    15:33:09.436379 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57557: 15 NXDomain 0/1/0 (117)
    15:33:09.437348 PortA, IN: IP 10.10.10.129.57558 > 8.8.8.8.53: 16+ A? facebook.com. (30)
    15:33:09.437837 PortB, OUT: IP 192.168.0.102.57558 > 8.8.8.8.53: 16+ A? facebook.com. (30)
    15:33:09.453002 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57558: 16 1/0/0 A 31.13.76.68 (46)
    15:33:09.454106 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57558: 16 1/0/0 A 31.13.76.68 (46)
    15:33:09.458465 PortA, IN: IP 10.10.10.129.57559 > 8.8.8.8.53: 17+ AAAA? facebook.com. (30)
    15:33:09.459001 PortB, OUT: IP 192.168.0.102.57559 > 8.8.8.8.53: 17+ AAAA? facebook.com. (30)
    15:33:09.477728 PortB, IN: IP 8.8.8.8.53 > 192.168.0.102.57559: 17 1/0/0 AAAA[|domain]
    15:33:09.478155 PortA, OUT: IP 8.8.8.8.53 > 10.10.10.129.57559: 17 1/0/0 AAAA[|domain]

     

     

    Tested with IPS and Application signatures: 3.12.97. 

    Kindly verify the application you are using and also the IPS version , you may check via Backup and Firmware > Pattern Updates

    Thanks and regards

    Aditya Patel \ Network and Security Engineer

  • +1 in reply to Aditya Patel

    Oh! maybe it's my fault. So sorry to inconvenience.

    Wonderful. Application Filter is good working. But log view can be more smart, I think.

    Summary is as follows incidents.

    1. Transmission-Qt request DN to NAS (NAS: allow all apps.)
    2. NAS request DN to Domain Controller
    3. Domain Controller request DN to Google DNS
    4. XG Firewall were recognized and blocked requests only from the Trnasmission-Qt.
    5. XG Firewll were logged history.  (src: Domain Controller dst: Google DNS app: torrent client p2p)
Reply
  • +1 in reply to Aditya Patel

    Oh! maybe it's my fault. So sorry to inconvenience.

    Wonderful. Application Filter is good working. But log view can be more smart, I think.

    Summary is as follows incidents.

    1. Transmission-Qt request DN to NAS (NAS: allow all apps.)
    2. NAS request DN to Domain Controller
    3. Domain Controller request DN to Google DNS
    4. XG Firewall were recognized and blocked requests only from the Trnasmission-Qt.
    5. XG Firewll were logged history.  (src: Domain Controller dst: Google DNS app: torrent client p2p)
Children