ProxySG is sending DNS queries for malicious sites

book

Article ID: 169053

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

These DNS queries are matching IPS attack signatures and being flagged as malicious traffic.

In most cases DNS queries are triggered by user request so check the proxy access log to verify.

In this specific case, it is triggered by the ProxySG.

Cause

The customer has recently ran a script that sends "test-url" commands to the proxy to check content-filter category for each URL.
ProxySG#(config content-filter)test-urlĀ <URL>

This will trigger DNS queries for those URLs.

It also explains why those URLs are not found in the access log because "test-url" is an internal proxy function.