Our logs show a numebr of connections from our DC's to port "53" application sophos-live-protection...
That's fair enough, I understand the concept of what sophos are tryign to do with this.
What I don't understand is why the destination is 220.127.116.11 and not one of the sophos listening addresses...
I don't suppose anyone sees this?
I've seen this before with some clients in our network. The clients had Sophos installed, and the software in some way manipulated DNS requests from the client (I haven't used Sophos myself so I cannot be any more specific). This would be DNS requests for external domains which is why your DC's forward them to external DNS servers. Palo Alto sees the DNS traffic, parses the content, notices the Sophos content and changes the appid from dns to sophos-live-protection.
We had a case with TAC about it, and the only solution they suggested was to make an Application Override.
I expect that as @TerjeLundbo mentioned you have Sophos installed, which would explain why you are seeing this behavior. I don't actually recommend doing the application-override in this situation, however that would be a decision you need to make with the knowledge that application-override stops further application identification from taking place. Since DNS is a heavy target for tunneling all sorts of communication traffic, I personally would avoid this like the plague.
(yes we do have Sophos, and I have asked them why it's hapening, not much help as yet)
I am not sure it's consistent with the explination above..
sophos-live-protection should send information to "SOPHOS" not to "GOOGLE" using port "53" ,
If the Sophos Client did a DNS lookup for the sophos destination, that would appear as standard DNS lookup via the Domain controller and be a standard DNS lookup on the firewall. Once that IP is resolved the sophos client would send a sophos-live-protection pracket using port 53 to that resolved destination ,not involving the Domain Controller and it would probably discard it anywa as a malformed DNS request.
Trying Packet captures is a bit fruitless as the source/destination/dport are all used by the legitmate DNS traffic.
It's been a while since I supported any Sophos clients and really looked at this, but Sophos used to always send DNS queries with generic information regardless of what you were doing. Any DNS request also included a fair bit of Sophos required information, regardless of where it was destined.
Since this information is included within the DNS request, and since Palo Alto built the signature to look for this information, the DNS requests sent via a Sophos protected client will be recorded as sophos-live-protection.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!