search cancel

DNS lookups from Endpoint Protection Mac client are seen when domains are defined in Firewall rules


Article ID: 173943


Updated On:


Endpoint Protection Endpoint Security


When leveraging the Firewall component for the Symantec Endpoint Protection (SEP) for Mac client in which rules are defined that use domains (manually entered or via Host Groups), DNS lookups are seen post-policy updates, and reboot/client daemon restart.


SEP 14.2+


This behavior is by design.

As soon as the SEP for Mac client receives a new firewall policy which contains hostnames defined in the rules, the client will perform a DNS lookup for each hostname in order to get the IP address. The actual request is made to the configured DNS server for the host. The DNS response will contain the IP address of the host which the client will use to create/update the Firewall rule specific to the queried host’s IPs. This allows the Firewall to block or allow those IPs as defined in the applicable rule(s).