Cloud SWG admins are finding that a great deal of uncategorized requests are going to www.actionablemessage.olk, a Microsoft domain handling are actionable messages in Office 365.
Users do not seem to be impacted by the issue, but we want to clean up the 10s of 1000s of messages we see in the logs.
Rather than adding it to the bypass list we wondered if it's possible for it to be classified?
Cloud SWG.
WSS Agent.
www.actionablemessage.olk is not a publically accessible site and the requests seen in reports were triggered by DNS over HTTPS requests generated by macOS hosts.
A few options exist to avoid this:
1. Disable DoH requests on the macOS device browsers or
2. Ignore uncategorised requests for DNS requests within the Cloud SWG logs - they have no impact on user traffic.
When digging into the reports to check requests for this domain, we found that every request to the site was for the DNS protocol as shown below.
Running reports of DNS requests (typically not seen going into Cloud SWG by default), we could see over a million requests a day (many to 0.0.0.0), all from some macOS devices.
Looking at the HTTP logs for these DNS requests and correlating to PCAPs, we could see that they were DNS over HTTPS requests to Google's DNS server.
// Sample HTTP log entry from tenant can give us the device name and IP address of host generating requests
2023-05-22 11:12:17 "DP1-GGBLO11_proxysg1" 9 203.1.113.1 - - - - - PROXIED "Uncategorized" - 0 - query - dns 0.0.0.0 53 / - - - 192.168.1.84 84 34 - - - - - - - - 0 - client_connector "none" "none" - "Invalid" - - - - - none - - - - none - - ICAP_NOT_SCANNED - - ICAP_NOT_SCANNED - - - - - - 0 - "None" - "United Kingdom" none - wss-agent architecture=x86_64%20name=macOS%20version=13.3.1 8.2.3.18676 203.1.113.1 5d81a30f-1e54-4f38-8179-67d9e5c0d00a DEV-CD6M - - - - - - - - - 2001:db8:ffff:ffff:: - - "Invalid" "Invalid" - - -
// PCAP taken at the same time shows requests into Google DNS server over a persistent TCP connection