DNS queries to resolve internal hosts from PA managment IP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DNS queries to resolve internal hosts from PA managment IP

L4 Transporter

Hi Community,

 

I can see my firewall is sending DNS requests ( request for A record) to resolve some of internal hostnames.

  • I dont have GP/detect internal host configured
  • I dont have FQDN objects with these hostnames
  • I have exported and checked entire config, the firewall is not having this hostname in the configuration
  • It is requesting for A record ( so 'resolve hostname' is not causing it.
  • Dont have DNS proxy configured in firewall
  • This are internal hostnames, not malicious, which rule out DNS queries because of HTTP/TLS evasion

This looks like firewall is trying to resolve in real time. I understands that firewall will be using DNS for reporting, management services (such as email, Kerberos, SNMP, syslog) as per document. But not sure because of which of this reason firewall is trying to resolve these internal hostnames. It would be helpful if anybody can answer this.

 

Thanks in advance ! 

3 REPLIES 3

Cyber Elite
Cyber Elite

@Abdul_Razaq,

Do you have WMI probing enabled within User Identification? 

Hi @BPry ,

 

Thanks for your input.

I thought of this possibility as WMI probing is enabled, but as the user IP mapping entries will be IP address, i don't see a need for PA to do a DNS query for device hostnames other than the hostname of AD servers.

I am wondering if there is any two way of verification to find the hostname of an IP, then a DNS query for A record for verifying it.

 

Thanks in advance.

Hi All,

 

Anybody have any though on this.. i can see the DNS query for only couple of servers (it should not be for WMI i feel as i can see it only for very less endpoints directly connected to firewall). I am even confused how firewall got this hostname in first place.

 

Thanks in advance.

  • 3678 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!