DNS queries to resolve internal hosts from PA managment IP

Reply
Highlighted
L4 Transporter

DNS queries to resolve internal hosts from PA managment IP

Hi Community,

 

I can see my firewall is sending DNS requests ( request for A record) to resolve some of internal hostnames.

  • I dont have GP/detect internal host configured
  • I dont have FQDN objects with these hostnames
  • I have exported and checked entire config, the firewall is not having this hostname in the configuration
  • It is requesting for A record ( so 'resolve hostname' is not causing it.
  • Dont have DNS proxy configured in firewall
  • This are internal hostnames, not malicious, which rule out DNS queries because of HTTP/TLS evasion

This looks like firewall is trying to resolve in real time. I understands that firewall will be using DNS for reporting, management services (such as email, Kerberos, SNMP, syslog) as per document. But not sure because of which of this reason firewall is trying to resolve these internal hostnames. It would be helpful if anybody can answer this.

 

Thanks in advance ! 

Highlighted
Cyber Elite

Re: DNS queries to resolve internal hosts from PA managment IP

@Abdul_Razaq,

Do you have WMI probing enabled within User Identification? 

Highlighted
L4 Transporter

Re: DNS queries to resolve internal hosts from PA managment IP

Hi @BPry ,

 

Thanks for your input.

I thought of this possibility as WMI probing is enabled, but as the user IP mapping entries will be IP address, i don't see a need for PA to do a DNS query for device hostnames other than the hostname of AD servers.

I am wondering if there is any two way of verification to find the hostname of an IP, then a DNS query for A record for verifying it.

 

Thanks in advance.

Highlighted
L4 Transporter

Re: DNS queries to resolve internal hosts from PA managment IP

Hi All,

 

Anybody have any though on this.. i can see the DNS query for only couple of servers (it should not be for WMI i feel as i can see it only for very less endpoints directly connected to firewall). I am even confused how firewall got this hostname in first place.

 

Thanks in advance.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!