Excessive dns lookups to sophosxl.net - using Central

Hi,

I'm sure we're not the only ones - we are seeing excessive dns lookups to sophosxl.net.  Is this used for Live Protection and Message Relay as I'm seeing logs in the Message Relay?  If we block this url are we at risk for Live Protection / MTD?  Also, can it be set up for http only?

 

Thank you

  • Hello zk1,

    dns lookups to sophosxl.net
    [emphasis mine] there might be some misunderstanding, DNS lookups aren't to sophosxl.net but for, and in a lookup it's a NAME not a URL.
    Please see the Information on Sophos Extensible List for a short description and details. 

    excessive
    do they cause issues? Normally a (UDP) DNS lookup os less "expensive" than a (TCP) HTTP and even more HTTPS request.

    Christian

  • In reply to QC:

    I am assuming this DNS behaviour will not be changing anytime soon?

    We are on a 10/10 symmetrical line......these DNS inquiries are killing our bandwidth. As in ....SATURATING the line all day all night long.

    Doing a "speed test" and it looks like we are running on a Modem.

    When I suspend ALL Traffic from Sophosxl.net.....Bandwidth returns to normal. Speed test take all available bandwidth for it's testing (expected). Bandwidth meter shows over 15Mbps, then calms down to an idle of around 800Kbps. (normal)

    With Sophos enabled.....bandwidth goes in the toilet.....over 15Mbps constantly...forever....until I kill Sophos.

    It took me a long time to figure out where all this Traffic that was chewing up bandwidth like no tomorrow was coming from in the first place.

    Complaining to my ISP....and they come back with line saturation, pure and simple.

    Dug into my Firewall logs...wow......compared to next busiest client on network Sophos shows a whopping 18000 hits in no time at all.

    The next busiest client on the network shows a measly < 1000

    So...is there a remedy?? I cannot ALLOW Sophos to saturate my Bandwidth like this. 

    Tks

  • In reply to Howiedog:

    As far as I'm aware there are a few different places where SXL lookups are used:

    1. SXL4, these are from SSP, I think download reputation uses this as an example.  These are only when you download a file in a browser to check the reputation of the file  This is all HTTPS so I think SXL4 lookups are not what you're seeing.

    2. SXL3 these are HTTP based and are used by Web Protection for Web Control\Web Site classification.  SWI_Service, the process making these queries by default, as long as it's not standalone SAV, will favour HTTP, but can fail back to DNS.  So I would first check if maybe browsing is causing all this DNS traffic as it should be using HTTP.

    3. SAV, Live Protection, this does use DNS for SXL lookups.  I remember a while back people complaining about a large number of Live Protection DNS SXL lookups when scheduled scans were taking place.  I assume the computers aren't running schedueld scans causing this.  I think this is the reason that under the Threat Protection policy there is an option called: "Use Live Protection during scheduled scans".

    I would therefore check if swi_service is using DNS or HTTP for web protection as that could cause a lot of DNS lookups if it is failing back over to DNS.

    A Wireshark capture of a representivive client would be useful.  In particular and filter of HTTP or DNS.  Then, when you browse the web, do you see SXL lookups over DNS or HTTP?  It should be HTTP.

    The other option, might be to disable in polocu the features:
    Web Control  (Web control policy)
    Block access to malicious websites (Threat Protection policy)
    With both of these disabled swi_service will not perform any SXL3 lookups when you're browsing the web.

    THe other features to condider disabling are:
    Detect low-reputation files - This is the HTTPS download reputation, SXL4 lookups, I really doubt this is the problem.
    "Use Live Protection during scheduled scans" as mentioned above, but again I don't suspect the clients are running scheduled scans but worth a check.
    Then the parent option: "Use Live Protection to check the latest threat information from SophosLabs only" could be disabled to disable the SXL DNS lookups.

    I hope this info helps as I think mapping the feature to the traffic would be the first step.

    Regards,
    Jak