I noticed on my DNS server that sophos does a lot of lookups to subdomains on sophosxl.netWe use OpenDNS for our employees, and we were getting to our limit because of this. I have since moved the querys to googleDNS, but would like some more info on why sophos does so many lookups to these domains. Is it a reverse DNS lookup to check websites?
1 *.ip.00.s.sophosxl.net Actions 293,5932 *.ip.01.s.sophosxl.net Actions 196,0233 *.ip.02.s.sophosxl.net Actions 195,297 Total 684,913 in one week
These lookups are part of the Sophos Web protection feature. When Block access to malicious websites is enabled Sophos uses these queries to determine whether the site you want to access is known to host malware.
Similar lookups are used for Live Protection and the associated optional sending of samples.
I just came across the same issue SEC 5.1 with 10.2 Clients, we have around 100000 requests to
http://http.**.s.sophosxl.net and turning off Live protection and / or web-control does NOT fix this issue.
We have our own List of "Blocked" Websites so we dont want this behaviour and cant seem to get rid of these "online checks".