FSPM:Getting lots of alerts "A DNS query was blocked for a domain" despite firewall disabled

DavidCES
DavidCES Posts: 16 New Member

Hi,

I am getting a lot of client alerts from F-Secure Policy Manager like the following


Here are the most recent alerts (1) from Policy Manager.

Warning: A DNS query was blocked for a domain.

From: UCL/CLIENTPC1, 2021-11-29 14:13:02 +00:00

Details: A DNS query was blocked for a domain. DNS: proxyserverecs-1736642167.us-east-1.elb.amazonaws.com.


These have gradually been increasing in number, from different clients, varying DNS queries are blocked, not sure of the effect on end users, nobody has complained yet. A lot of the queries look like genuine cloud services- amazon, mozilla etc.

What is most puzzling is that we disable most features except real time protection on our clients, so no firewall, browsing protection or deepguard. So why are these alerts even being generated?

All alerts are coming from clients running F-Secure Client Security 14.22 build 109

I am running FSPM 14.41

Can anyone help please?

Accepted Answer

  • Jamesch
    Jamesch Posts: 354 Moderator
    Answer ✓

    Hi David,

    DNS query stands for Botnet blocker.

    Most likely the DNS resolution is blocked by the Botnet Blocker feature.


    You need to do the following:


    1. Share the URL with the Labs team, for further investigation. The Labs team will whitelist the URL if the site is not malicious:


    https://www.f-secure.com/en/web/labs_global/submit-a-sample#sample-url


    2. Whitelist the blocked site or the IP address of the blocked site via the Advanced View in the PM Console at:

    ========================================================================

    * F-Secure Browsing Protection > Settings > Reputation Based Protection > Trusted Hosts

    * F-Secure Browsing Protection > Settings > Reputation Based Protection > Trusted Sites

    ========================================================================

Answers

  • MaKl
    MaKl Posts: 2 New Member

    I´m currently having the same issue. It began today, that several Clients started to send these DNS query blocks. I´m currently running a FSPM 14.01. The Clients sending are having different F-Secure Versions, 14.01.121 for example.

    I´ve checked the URL on a Sandbox URL scan website. It seems to be related to Firefox somehow.

  • Jamesch
    Jamesch Posts: 354 Moderator

    Hi,

    I am checking this now and will update here.

  • DavidCES
    DavidCES Posts: 16 New Member

    Some further examples of domains being blocked

    A DNS query was blocked for a domain. DNS: dualstack.guardian.map.fastly.net.

    A DNS query was blocked for a domain. DNS: prod.detectportal.prod.cloudops.mozgcp.net.

  • MaKl
    MaKl Posts: 2 New Member

    Just gonna provide some further information on this topic:

    These are the warnings from a single Client in a ~24h timespan.

    This client tried to connect to DNS: proxyserverecs-1736642167.us-east-1.elb.amazonaws.com yesterday and switched to DNS: bidder.am5.vip.prod.criteo.com today.

    Other blocked DNS:

    DNS: prod.ingestion-edge.prod.dataops.mozgcp.net

    DNS: am-vip001.taboola.com

  • Jamesch
    Jamesch Posts: 354 Moderator

    Hi all,

    This is a botnet blocker feature sending those alerts.

    Regarding why it started yesterday, it might be related to some security cloud changes causing false-positives to good URLs.

    I will check with our detection team and update you.

  • Jamesch
    Jamesch Posts: 354 Moderator

    Hi all,

    The mentioned URLs are now safe and we have fixed the rating in our system:


    proxyserverecs-1736642167.us-east-1.elb.amazonaws[.]com = already marked safe in our NRS

    dualstack.guardian.map.fastly[.]net = False Positive, fixed

    prod.detectportal.prod.cloudops.mozgcp[.]net = False Positive, fixed

    prod.ingestion-edge.prod.dataops.mozgcp[.]net = False Positive, fixed

    am-vip001.taboola[.]com = False Positive, fixed


    If you are still receiving few URLs blocked, you should open the following webpage:

    https://www.f-secure.com/en/web/labs_global/submit-a-sample#sample-url


    Remember to click on this bottom, if you want us to contact you with the result of the analyses: I want to give more details about this sample and to be notified of the analysis results​. 


    Remember to fill in the information, and describe the issue, so that we can analyse the situation and contact you. 


    Note:

    Please post your question in English in the "Description" field.

    Vad
  • DavidCES
    DavidCES Posts: 16 New Member

    Why are our URLs being scanned if I only have real-time protection enabled?

  • DavidCES
    DavidCES Posts: 16 New Member

    Is there an option to disable Botnet blocker?

  • Vad
    Vad Posts: 1,089 F-Secure Employee

    Hello DavidCES,


    Sure, you can disable it from Policy Manager console - Settings (Standard view) - Web Traffic scanning tab, second section.

    Best regards,

    Vad

    Jaims
  • DavidCES
    DavidCES Posts: 16 New Member

    Looking at my own PC that has been sending alerts, web traffic scanning is already showing as Off under Settings, so why is it still generating alerts?

  • Vad
    Vad Posts: 1,089 F-Secure Employee
    edited December 2021

    Hello!

    I mean this setting:

    Best regards,

    Vad

  • DavidCES
    DavidCES Posts: 16 New Member

    But web traffic scanning is OFF on clients, so why should these settings matter at all?

  • Vad
    Vad Posts: 1,089 F-Secure Employee

    Hello David CES,


    You mean HTTP scanning? It's a separate feature. And its tuning doesn't affect Botnet Blocker.


    Best regards,

    Vad

  • DavidCES
    DavidCES Posts: 16 New Member

    Just so I understand, botnet blocker runs regardless of whether web traffic scanning is on or off? And to turn it off I would need to set the policy is FSPM?

  • Vad
    Vad Posts: 1,089 F-Secure Employee

    Yes, correct.

  • DavidCES
    DavidCES Posts: 16 New Member

    I'm still getting an awful lot of these. I've had about 100 alerts in my inbox from over the Christmas break. There is obviously a problem at your end that is causing this as I never used to get alerts with this frequency and I shouldnt have to submit each url to make this stop.

  • DavidCES
    DavidCES Posts: 16 New Member

    Have found that an advert on Firefox start page for 'Forge of Empires' triggers a block for the url: lps.innogames.com

  • Vad
    Vad Posts: 1,089 F-Secure Employee

    Hello DavidCES,


    Just want to mention, that you can always report FP for the url you consider safe.


    Best regards,

    Vad