This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Usman_Shaikh
Contributor
‎2019-03-20 05:32 AM

High number of DNS queries generated by Cloudguard firewalls for microsoft domains

We are seeing high number of DNS requests made by our R80.10 (JHF Take 169) Cloudguard firewalls running FW/URLF/APPI blades to management.azure.com and blob.core.windows.net every second to our DNS server on 10.64.17.10

We do not have a domain object defined for these domains

12:24:56.972268 IP 172.26.163.36.62901 > 10.64.17.10.domain: 5418+ AAAA? md-r425qqtbx25f.blob.core.windows.net. (55)
12:24:56.985671 IP 10.64.17.10.domain > 172.26.163.36.62901: 5418 1/1/0 CNAME blob.am4prdstr02a.store.core.windows.net. (179)
12:24:56.985900 IP 172.26.163.36.54997 > 10.64.17.10.domain: 28673+ A? md-r425qqtbx25f.blob.core.windows.net. (55)
12:24:56.998820 IP 10.64.17.10.domain > 172.26.163.36.54997: 28673 2/0/0 CNAME blob.am4prdstr02a.store.core.windows.net., A 40.118.73.208 (109)
12:24:57.024426 IP 172.26.163.36.49448 > 10.64.17.10.domain: 19122+ A? management.azure.com. (38)
12:24:57.038050 IP 10.64.17.10.domain > 172.26.163.36.49448: 19122 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:24:57.325273 IP 172.26.163.36.45648 > 10.64.17.10.domain: 38158+ A? management.azure.com. (38)
12:24:57.338527 IP 10.64.17.10.domain > 172.26.163.36.45648: 38158 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:24:57.576465 IP 172.26.163.36.33918 > 10.64.17.10.domain: 37507+ A? management.azure.com. (38)
12:24:57.595217 IP 10.64.17.10.domain > 172.26.163.36.33918: 37507 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:24:57.830215 IP 172.26.163.36.52092 > 10.64.17.10.domain: 14287+ A? management.azure.com. (38)
12:24:57.843584 IP 10.64.17.10.domain > 172.26.163.36.52092: 14287 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:24:58.130100 IP 172.26.163.36.46677 > 10.64.17.10.domain: 35906+ A? management.azure.com. (38)
12:24:58.142549 IP 10.64.17.10.domain > 172.26.163.36.46677: 35906 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:24:58.381202 IP 172.26.163.36.56930 > 10.64.17.10.domain: 4052+ A? management.azure.com. (38)
12:24:58.394089 IP 10.64.17.10.domain > 172.26.163.36.56930: 4052 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:24:59.722341 IP 172.26.163.36.56899 > 10.64.17.10.domain: 41422+ A? management.azure.com. (38)
12:24:59.735676 IP 10.64.17.10.domain > 172.26.163.36.56899: 41422 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)
12:25:00.057386 IP 172.26.163.36.61066 > 10.64.17.10.domain: 21154+ A? management.azure.com. (38)
12:25:00.072370 IP 10.64.17.10.domain > 172.26.163.36.61066: 21154 4/0/0 CNAME arm-rpfd-prod.trafficmanager.net., CNAME uksouth.management.azure.com., CNAME rpfd-prod-ln-01.cloudapp.net., A 51.140.3.40 (161)

I have spoken to R&D through our SE and they say that this is by design which I really don't get. Anyone else seen this behaviour with Cloudguard firewalls ?

 

0 Kudos
2 Replies
Martin_Valenta
Advisor
‎2019-03-20 06:30 AM

It's contastly checking with azure api backend, that's why so many dns hits..

0 Kudos
Usman_Shaikh
Contributor
‎2019-03-20 07:18 AM
In response to Martin_Valenta

What I dont get is that why does the FW send 6-7 requests for same domain each second when the TTL on these records is set to 10 secs (for the A record)

[Expert@fw1:0]# dig management.azure.com

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-25.P1.11.cp991310011 <<>> management.azure.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2104
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;management.azure.com. IN A

;; ANSWER SECTION:
management.azure.com. 373 IN CNAME arm-rpfd-prod.trafficmanager.net.
arm-rpfd-prod.trafficmanager.net. 13 IN CNAME uknorth.management.azure.com.
uknorth.management.azure.com. 1634 IN CNAME rpfd-prod-mm-01.cloudapp.net.
rpfd-prod-mm-01.cloudapp.net. 4 IN A 13.87.77.81

;; Query time: 12 msec
;; SERVER: 10.64.17.10#53(10.64.17.10)
;; WHEN: Wed Mar 20 14:16:22 2019
;; MSG SIZE rcvd: 161

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events