FSPM:Getting lots of alerts "A DNS query was blocked for a domain" despite firewall disabled
I am getting a lot of client alerts from F-Secure Policy Manager like the following
Here are the most recent alerts (1) from Policy Manager.
Warning: A DNS query was blocked for a domain.
From: UCL/CLIENTPC1, 2021-11-29 14:13:02 +00:00
Details: A DNS query was blocked for a domain. DNS: proxyserverecs-1736642167.us-east-1.elb.amazonaws.com.
These have gradually been increasing in number, from different clients, varying DNS queries are blocked, not sure of the effect on end users, nobody has complained yet. A lot of the queries look like genuine cloud services- amazon, mozilla etc.
What is most puzzling is that we disable most features except real time protection on our clients, so no firewall, browsing protection or deepguard. So why are these alerts even being generated?
All alerts are coming from clients running F-Secure Client Security 14.22 build 109
I am running FSPM 14.41
Can anyone help please?
DNS query stands for Botnet blocker.
Most likely the DNS resolution is blocked by the Botnet Blocker feature.
You need to do the following:
1. Share the URL with the Labs team, for further investigation. The Labs team will whitelist the URL if the site is not malicious:
2. Whitelist the blocked site or the IP address of the blocked site via the Advanced View in the PM Console at:
* F-Secure Browsing Protection > Settings > Reputation Based Protection > Trusted Hosts
* F-Secure Browsing Protection > Settings > Reputation Based Protection > Trusted Sites
I´m currently having the same issue. It began today, that several Clients started to send these DNS query blocks. I´m currently running a FSPM 14.01. The Clients sending are having different F-Secure Versions, 14.01.121 for example.
I´ve checked the URL on a Sandbox URL scan website. It seems to be related to Firefox somehow.0
I am checking this now and will update here.0
Some further examples of domains being blocked
A DNS query was blocked for a domain. DNS: dualstack.guardian.map.fastly.net.
A DNS query was blocked for a domain. DNS: prod.detectportal.prod.cloudops.mozgcp.net.0
Just gonna provide some further information on this topic:
These are the warnings from a single Client in a ~24h timespan.
This client tried to connect to DNS: proxyserverecs-1736642167.us-east-1.elb.amazonaws.com yesterday and switched to DNS: bidder.am5.vip.prod.criteo.com today.
Other blocked DNS:
This is a botnet blocker feature sending those alerts.
Regarding why it started yesterday, it might be related to some security cloud changes causing false-positives to good URLs.
I will check with our detection team and update you.0
The mentioned URLs are now safe and we have fixed the rating in our system:
proxyserverecs-1736642167.us-east-1.elb.amazonaws[.]com = already marked safe in our NRS
dualstack.guardian.map.fastly[.]net = False Positive, fixed
prod.detectportal.prod.cloudops.mozgcp[.]net = False Positive, fixed
prod.ingestion-edge.prod.dataops.mozgcp[.]net = False Positive, fixed
am-vip001.taboola[.]com = False Positive, fixed
If you are still receiving few URLs blocked, you should open the following webpage:
Remember to click on this bottom, if you want us to contact you with the result of the analyses: I want to give more details about this sample and to be notified of the analysis results.
Remember to fill in the information, and describe the issue, so that we can analyse the situation and contact you.
Please post your question in English in the "Description" field.1
Why are our URLs being scanned if I only have real-time protection enabled?0
Is there an option to disable Botnet blocker?0
Sure, you can disable it from Policy Manager console - Settings (Standard view) - Web Traffic scanning tab, second section.
Looking at my own PC that has been sending alerts, web traffic scanning is already showing as Off under Settings, so why is it still generating alerts?0
I mean this setting:
But web traffic scanning is OFF on clients, so why should these settings matter at all?0
Hello David CES,
You mean HTTP scanning? It's a separate feature. And its tuning doesn't affect Botnet Blocker.
Just so I understand, botnet blocker runs regardless of whether web traffic scanning is on or off? And to turn it off I would need to set the policy is FSPM?0
I'm still getting an awful lot of these. I've had about 100 alerts in my inbox from over the Christmas break. There is obviously a problem at your end that is causing this as I never used to get alerts with this frequency and I shouldnt have to submit each url to make this stop.0
Have found that an advert on Firefox start page for 'Forge of Empires' triggers a block for the url: lps.innogames.com0
Just want to mention, that you can always report FP for the url you consider safe.