www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com

QuiteSmart
QuiteSmart Posts: 48  Freshman Member
Zyxel Certified Network Administrator - Nebula Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - WLAN

Hello community!

We use to configure ATP firewall on-premise and we use to activate all the 3 features of IP reputation (IP reputation, DNS filtering, URL filtering).

Since 5.37 ABPS.1 we are receiving many many alerts everyday from different managed firewall (different organizations, different devices) like this one:

192.168.6.106:41625 —>192.168.6.1:53

alert dns-filter DNS REDIRECT

www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com:Malicious Sites

As far as we checked this traffic is always from an Android mobile phone.

As far as i know almost nobody talks about this domain online but i cannot believe that this is not impacting many persons since we receive alerts from many of our clients with laterst fw version if not all.

None of our clients complained of something not working on their mobile phone even if this domain is blocked

  1. Does anybody know which application/process asks for this website so many times a day?
  2. Does anybody know if this website is really dangerous or can we whitelist it to avoid all these emails?
  3. Does anybody have a way to understand which android application is asking for an URL (apart from using wireshark)
  4. Is there a way to stop email alert for just one domain? My only idea is to block the ip address of this domain (actually 3.3.130.190) but i do not know if this server host thousands of websites…

Accepted Solution

All Replies

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    I think the phone should be reset

  • QuiteSmart
    QuiteSmart Posts: 48  Freshman Member
    Zyxel Certified Network Administrator - Nebula Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - WLAN

    Hello @PeterUK resetting works for sure but it would not reply any of the 4 questions. Besides you can imagine how difficoult would be to convince users to reset their phone for a problem that they do not even feel. 😓

  • electsystech
    electsystech Posts: 47  Freshman Member
    First Answer First Comment Friend Collector Fifth Anniversary

    I've seen this before, I think it was on the regular content filter, tho, not the DNS. Seems to vary on the amount of oooo's in google. I never did get to the bottom of it. No one ever complained about anything not working.

  • QuiteSmart
    QuiteSmart Posts: 48  Freshman Member
    Zyxel Certified Network Administrator - Nebula Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - WLAN

    @electsystech thanks for joining the discussion.

    The number of oooo in my case is always the same (3 different organization's firewalls).

    If i google that domain it gives almost no results and this makes me thing that it's a rare problem but the fact that 3 different android phones of 3 different users connect to this domain let me think that thousands of people are getting this little problem.

    One idea is to compare the apps installed on each phone to find what is in all 3 but it's not so easy since they are different sites as I already mentioned

    Another idea is to find some android app that acts like a firewall on the phone catching who is connecting to who but i have no knowledge of it

    Last idea would be to put a computer with Wireshark between an access point dedicated only to that mobile and the router and look for many ooooooooooooooooo but you need both time and experience and usually having one means not having the second 🙄

    As I said a workaround would be a firewall policy to block the IP (i think that firewall policies work before the subscription services so the infamous connection would be blocked before DNS Filtering check), but: 1) I don't know if that IP hosts many sites 2) i prefer solutions to workarounds ;-)

    PS I confirm that no one ever complained, i'm probably the only one since I receive too many alerts via email

  • zyman2008
    zyman2008 Posts: 223  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary

    Hi @QuiteSmart ,

    I found Samsung mobile phone with this DNS query behavior once switch on WiFi.

    There're 3 weird DNS domain queried.

    *google.com
    www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com
    google.com.onion
    

    Check VirusTotal look like safe now so far.

    https://www.virustotal.com/gui/domain/goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com/details

    https://www.virustotal.com/gui/domain/google.com.onion

    I think the workaround to block the DNS query without trigger logs is,

    (1) Add these DNS name into allow list of DNS Threat Filter. This avoid the DNS alert.

    (2) Then add these to DNS A record and point to a blackhole internal IP address. This avoid client to link the Internet IP of these DNS domain.

  • QuiteSmart
    QuiteSmart Posts: 48  Freshman Member
    Zyxel Certified Network Administrator - Nebula Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - WLAN
    Answer ✓

    Hello @zyman2008 your solution for avoiding the logs is smart and i'm likely to click "solved" I just wonder how we can understand which app is asking for it (if it's an app and not the system itself)

  • QuiteSmart
    QuiteSmart Posts: 48  Freshman Member
    Zyxel Certified Network Administrator - Nebula Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - WLAN

    since i still haven't found any way to understand who (in the device) is asking for this url, i've followed @zyman2008 's suggestion.

  • zyman2008
    zyman2008 Posts: 223  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    edited January 26

    @QuiteSmart

    I found here the discussion about the Samsung Apps with the behavior.

    https://www.reddit.com/r/pihole/comments/hi1s69/is/

    I didn't try the NetGuard Apps. https://netguard.me/ (donate 7.50 EUR to get pro features)

    So that I don't know is that true or not, just FYI.

  • QuiteSmart
    QuiteSmart Posts: 48  Freshman Member
    Zyxel Certified Network Administrator - Nebula Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - WLAN

    Thank you @zyman2008 i didn't install the app so far but it seems an useful tool to use before resetting a smartphone.

Security Highlight