Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG constantly querying Google domains, why?

Hi all,

First post here, hopefully I can be a contributing member of the communty. For now I have a question for you guys.

I'm slowly getting round to setting up Sophos XG Home to replace my router. It's currently connected to my home network via it's WAN port, with the LAN port creating a new network on the backend for testing. The WAN link is assigned an IP address etc via DHCP from the current router. I have recently setup Pi-Hole with Unbound which is handling all DNS queries on the primary LAN.

The question is as described in the subject. Why is Sophos XG constantly querying Google domains? I have made sure there is nothing else on the LAN side of the Sophos VM.

Call me paranoid, but i dont like the idea of anything on my network having constant communication with Google, or anything else for that matter, certainly without me knowing.

Does anyone have any ideas why it's happening, and whether I can stop it?

TIA

TheBeardedOne



This thread was automatically locked due to age.
Parents Reply Children
  • Thank you both for getting back to me.

    So that probably explains the constant invalid traffic entries. I'll experiment with altering the timeout to see if it reduces the number of entries in the log.

    All in all the Sophos XG VM is generating no more than approx 50Kbps of traffic per 2 hours which is insignificant. The issue is the saturated logs.

    As for why XG is constanlty querying Google domains, any ideas?

    Cheers

  • These are preconfigured fqdn hosts for Chromebook SSO. It will periodically do a lookup for them to populate the right IP addresses.

  • Thanks MasterRoshi,

    Is there anyway to prevent it?

  • Deleting the fqdn host objects in Host and Services -> FQDN hosts will do the trick. 

  • Legendary! Didn't even know that was there...

    Something to play aorund with.

    Thanks again Roshi!

     

  • MasterRoshi said:
    Deleting the fqdn host objects in Host and Services -> FQDN hosts will do the trick. 

    Hi, I have a XG Firewall home with 3 APX320 WiFi AP's, one for each floor of my home.

    I have that exact same problem than "TheBeardedOne".  I see in my pi-hole query list that every five minutes, my 3 APX320 query www.google.com within the same minute. I tried turning all WiFi devices off, so that none could be the source of the queries. I also tried deleting every single google FQDN host in the list. Unfortunately my APX320 access points still query "www.google.com" every 5 minutes.

    I cannot figure out what's the exact source of these queries.

    Any idea ?

    Many thanks to the community!

  • Hi,

    if you review logviewer firewall log you should see the source and destination of your traffic. What DNS are you using on the XG andd your clients?

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi, the DNS for my XG is set to the pi-hole located on the same LAN. The pi-hole is DHCP server for all my LAN clients (to get hostnames in my pi-hole logs) also with the DNS set to the pi-hole.

    I gave a look at my firewall log and noticed a strange behavior. My APX320 AP's (connected to LAN network) generate denied traffic to the LAN IP of the firewall to port 417 ?? The AP's are connected on the same LAN then the Firewall , so that should not happen, should it !

    Many Thanks

  • Hi,

    what are IP addresses of your external DNS?

    What does the rule that is causing the traffic drop look like? Were your APX ever registered with Sophos wireless central?

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Yes sorry, I forgot to mention that the external DNS set on my pi-hole, is openDNS.

    The rule is "0" and mentions "appliance access" "denied" on LAN port from APX320 IP, src port 42523 to XG IP, dst port 417 UDP.

    No, I don't use Sophos wireless central as I'm a home user. The AP's are registered on the XG.