FSPM:Getting lots of alerts "A DNS query was blocked for a domain" despite firewall disabled
Hi,
I am getting a lot of client alerts from F-Secure Policy Manager like the following
Here are the most recent alerts (1) from Policy Manager.
Warning: A DNS query was blocked for a domain.
From: UCL/CLIENTPC1, 2021-11-29 14:13:02 +00:00
Details: A DNS query was blocked for a domain. DNS: proxyserverecs-1736642167.us-east-1.elb.amazonaws.com.
These have gradually been increasing in number, from different clients, varying DNS queries are blocked, not sure of the effect on end users, nobody has complained yet. A lot of the queries look like genuine cloud services- amazon, mozilla etc.
What is most puzzling is that we disable most features except real time protection on our clients, so no firewall, browsing protection or deepguard. So why are these alerts even being generated?
All alerts are coming from clients running F-Secure Client Security 14.22 build 109
I am running FSPM 14.41
Can anyone help please?
Accepted Answer
-
Hi David,
DNS query stands for Botnet blocker.
Most likely the DNS resolution is blocked by the Botnet Blocker feature.
You need to do the following:
1. Share the URL with the Labs team, for further investigation. The Labs team will whitelist the URL if the site is not malicious:
https://www.f-secure.com/en/web/labs_global/submit-a-sample#sample-url
2. Whitelist the blocked site or the IP address of the blocked site via the Advanced View in the PM Console at:
========================================================================
* F-Secure Browsing Protection > Settings > Reputation Based Protection > Trusted Hosts
* F-Secure Browsing Protection > Settings > Reputation Based Protection > Trusted Sites
========================================================================
0 Like
Answers
-
I´m currently having the same issue. It began today, that several Clients started to send these DNS query blocks. I´m currently running a FSPM 14.01. The Clients sending are having different F-Secure Versions, 14.01.121 for example.
I´ve checked the URL on a Sandbox URL scan website. It seems to be related to Firefox somehow.
0 Like -
Just gonna provide some further information on this topic:
These are the warnings from a single Client in a ~24h timespan.
This client tried to connect to DNS: proxyserverecs-1736642167.us-east-1.elb.amazonaws.com yesterday and switched to DNS: bidder.am5.vip.prod.criteo.com today.
Other blocked DNS:
DNS: prod.ingestion-edge.prod.dataops.mozgcp.net
DNS: am-vip001.taboola.com
0 Like -
Hi all,
The mentioned URLs are now safe and we have fixed the rating in our system:
proxyserverecs-1736642167.us-east-1.elb.amazonaws[.]com = already marked safe in our NRS
dualstack.guardian.map.fastly[.]net = False Positive, fixed
prod.detectportal.prod.cloudops.mozgcp[.]net = False Positive, fixed
prod.ingestion-edge.prod.dataops.mozgcp[.]net = False Positive, fixed
am-vip001.taboola[.]com = False Positive, fixed
If you are still receiving few URLs blocked, you should open the following webpage:
https://www.f-secure.com/en/web/labs_global/submit-a-sample#sample-url
Remember to click on this bottom, if you want us to contact you with the result of the analyses: I want to give more details about this sample and to be notified of the analysis results.
Remember to fill in the information, and describe the issue, so that we can analyse the situation and contact you.
Note:
Please post your question in English in the "Description" field.
1 1Like -
I'm still getting an awful lot of these. I've had about 100 alerts in my inbox from over the Christmas break. There is obviously a problem at your end that is causing this as I never used to get alerts with this frequency and I shouldnt have to submit each url to make this stop.
0 Like
