www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com
Hello community!
We use to configure ATP firewall on-premise and we use to activate all the 3 features of IP reputation (IP reputation, DNS filtering, URL filtering).
Since 5.37 ABPS.1 we are receiving many many alerts everyday from different managed firewall (different organizations, different devices) like this one:
192.168.6.106:41625 —>192.168.6.1:53
alert dns-filter DNS REDIRECT
www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com:Malicious Sites
As far as we checked this traffic is always from an Android mobile phone.
As far as i know almost nobody talks about this domain online but i cannot believe that this is not impacting many persons since we receive alerts from many of our clients with laterst fw version if not all.
None of our clients complained of something not working on their mobile phone even if this domain is blocked
- Does anybody know which application/process asks for this website so many times a day?
- Does anybody know if this website is really dangerous or can we whitelist it to avoid all these emails?
- Does anybody have a way to understand which android application is asking for an URL (apart from using wireshark)
- Is there a way to stop email alert for just one domain? My only idea is to block the ip address of this domain (actually 3.3.130.190) but i do not know if this server host thousands of websites…
Accepted Solution
-
Hello @zyman2008 your solution for avoiding the logs is smart and i'm likely to click "solved" I just wonder how we can understand which app is asking for it (if it's an app and not the system itself)
1
All Replies
-
I think the phone should be reset
0 -
Hello @PeterUK resetting works for sure but it would not reply any of the 4 questions. Besides you can imagine how difficoult would be to convince users to reset their phone for a problem that they do not even feel. 😓
0 -
I've seen this before, I think it was on the regular content filter, tho, not the DNS. Seems to vary on the amount of oooo's in google. I never did get to the bottom of it. No one ever complained about anything not working.
0 -
@electsystech thanks for joining the discussion.
The number of oooo in my case is always the same (3 different organization's firewalls).
If i google that domain it gives almost no results and this makes me thing that it's a rare problem but the fact that 3 different android phones of 3 different users connect to this domain let me think that thousands of people are getting this little problem.
One idea is to compare the apps installed on each phone to find what is in all 3 but it's not so easy since they are different sites as I already mentioned
Another idea is to find some android app that acts like a firewall on the phone catching who is connecting to who but i have no knowledge of it
Last idea would be to put a computer with Wireshark between an access point dedicated only to that mobile and the router and look for many ooooooooooooooooo but you need both time and experience and usually having one means not having the second 🙄
As I said a workaround would be a firewall policy to block the IP (i think that firewall policies work before the subscription services so the infamous connection would be blocked before DNS Filtering check), but: 1) I don't know if that IP hosts many sites 2) i prefer solutions to workarounds ;-)
PS I confirm that no one ever complained, i'm probably the only one since I receive too many alerts via email
1 -
Hi @QuiteSmart ,
I found Samsung mobile phone with this DNS query behavior once switch on WiFi.
There're 3 weird DNS domain queried.
*google.com www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com google.com.onion
Check VirusTotal look like safe now so far.
I think the workaround to block the DNS query without trigger logs is,
(1) Add these DNS name into allow list of DNS Threat Filter. This avoid the DNS alert.
(2) Then add these to DNS A record and point to a blackhole internal IP address. This avoid client to link the Internet IP of these DNS domain.
2 -
Hello @zyman2008 your solution for avoiding the logs is smart and i'm likely to click "solved" I just wonder how we can understand which app is asking for it (if it's an app and not the system itself)
1 -
since i still haven't found any way to understand who (in the device) is asking for this url, i've followed @zyman2008 's suggestion.
0 -
I found here the discussion about the Samsung Apps with the behavior.
https://www.reddit.com/r/pihole/comments/hi1s69/is/
I didn't try the NetGuard Apps.
(donate 7.50 EUR to get pro features)So that I don't know is that true or not, just FYI.
1 -
Thank you @zyman2008 i didn't install the app so far but it seems an useful tool to use before resetting a smartphone.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight