FSPM:Getting lots of alerts "A DNS query was blocked for a domain" despite firewall disabled

DavidCES

Hi,

I am getting a lot of client alerts from F-Secure Policy Manager like the following

Here are the most recent alerts (1) from Policy Manager.

Warning: A DNS query was blocked for a domain.

From: UCL/CLIENTPC1, 2021-11-29 14:13:02 +00:00

Details: A DNS query was blocked for a domain. DNS: proxyserverecs-1736642167.us-east-1.elb.amazonaws.com.

These have gradually been increasing in number, from different clients, varying DNS queries are blocked, not sure of the effect on end users, nobody has complained yet. A lot of the queries look like genuine cloud services- amazon, mozilla etc.

What is most puzzling is that we disable most features except real time protection on our clients, so no firewall, browsing protection or deepguard. So why are these alerts even being generated?

All alerts are coming from clients running F-Secure Client Security 14.22 build 109

I am running FSPM 14.41

Can anyone help please?

JamesC

Hi David,

DNS query stands for Botnet blocker.

Most likely the DNS resolution is blocked by the Botnet Blocker feature.

You need to do the following:

1. Share the URL with the Labs team, for further investigation. The Labs team will whitelist the URL if the site is not malicious:

https://www.f-secure.com/en/web/labs_global/submit-a-sample#sample-url

2. Whitelist the blocked site or the IP address of the blocked site via the Advanced View in the PM Console at:

========================================================================

* F-Secure Browsing Protection > Settings > Reputation Based Protection > Trusted Hosts

* F-Secure Browsing Protection > Settings > Reputation Based Protection > Trusted Sites

========================================================================

MaKl

I´m currently having the same issue. It began today, that several Clients started to send these DNS query blocks. I´m currently running a FSPM 14.01. The Clients sending are having different F-Secure Versions, 14.01.121 for example.

I´ve checked the URL on a Sandbox URL scan website. It seems to be related to Firefox somehow.

JamesC

Hi,

I am checking this now and will update here.

DavidCES

Some further examples of domains being blocked

A DNS query was blocked for a domain. DNS: dualstack.guardian.map.fastly.net.

A DNS query was blocked for a domain. DNS: prod.detectportal.prod.cloudops.mozgcp.net.

MaKl

Just gonna provide some further information on this topic:

These are the warnings from a single Client in a ~24h timespan.

This client tried to connect to DNS: proxyserverecs-1736642167.us-east-1.elb.amazonaws.com yesterday and switched to DNS: bidder.am5.vip.prod.criteo.com today.

Other blocked DNS:

DNS: prod.ingestion-edge.prod.dataops.mozgcp.net

DNS: am-vip001.taboola.com

JamesC

Hi all,

This is a botnet blocker feature sending those alerts.

Regarding why it started yesterday, it might be related to some security cloud changes causing false-positives to good URLs.

I will check with our detection team and update you.

JamesC

Hi all,

The mentioned URLs are now safe and we have fixed the rating in our system:

proxyserverecs-1736642167.us-east-1.elb.amazonaws[.]com = already marked safe in our NRS

dualstack.guardian.map.fastly[.]net = False Positive, fixed

prod.detectportal.prod.cloudops.mozgcp[.]net = False Positive, fixed

prod.ingestion-edge.prod.dataops.mozgcp[.]net = False Positive, fixed

am-vip001.taboola[.]com = False Positive, fixed

If you are still receiving few URLs blocked, you should open the following webpage:

https://www.f-secure.com/en/web/labs_global/submit-a-sample#sample-url

Remember to click on this bottom, if you want us to contact you with the result of the analyses: I want to give more details about this sample and to be notified of the analysis results​. 

Remember to fill in the information, and describe the issue, so that we can analyse the situation and contact you. 

Note:

Please post your question in English in the "Description" field.

DavidCES

Why are our URLs being scanned if I only have real-time protection enabled?

DavidCES

Is there an option to disable Botnet blocker?

Vad

Hello DavidCES,

Sure, you can disable it from Policy Manager console - Settings (Standard view) - Web Traffic scanning tab, second section.

Best regards,

Vad

DavidCES

Looking at my own PC that has been sending alerts, web traffic scanning is already showing as Off under Settings, so why is it still generating alerts?

Vad

Hello!

I mean this setting:

Best regards,

Vad

DavidCES

But web traffic scanning is OFF on clients, so why should these settings matter at all?

Vad

Hello David CES,

You mean HTTP scanning? It's a separate feature. And its tuning doesn't affect Botnet Blocker.

Best regards,

Vad

DavidCES

https://community.f-secure.com/en/discussion/comment/128247#Comment_128247

Just so I understand, botnet blocker runs regardless of whether web traffic scanning is on or off? And to turn it off I would need to set the policy is FSPM?

Vad

Yes, correct.

DavidCES

I'm still getting an awful lot of these. I've had about 100 alerts in my inbox from over the Christmas break. There is obviously a problem at your end that is causing this as I never used to get alerts with this frequency and I shouldnt have to submit each url to make this stop.

DavidCES

Have found that an advert on Firefox start page for 'Forge of Empires' triggers a block for the url: lps.innogames.com

Vad

Hello DavidCES,

Just want to mention, that you can always report FP for the url you consider safe.

Best regards,

Vad