ProxySG is sending DNS queries for malicious sites
book
Article ID: 169053
calendar_today
Updated On:
Products
ProxySG Software - SGOS
Issue/Introduction
These DNS queries are matching IPS attack signatures and being flagged as malicious traffic.
In most cases DNS queries are triggered by user request so check the proxy access log to verify.
In this specific case, it is triggered by the ProxySG.
Cause
The customer has recently ran a script that sends "test-url" commands to the proxy to check content-filter category for each URL. ProxySG#(config content-filter)test-urlĀ <URL>
This will trigger DNS queries for those URLs.
It also explains why those URLs are not found in the access log because "test-url" is an internal proxy function.