Threat Feed - DNS Response blocked - how to find the original host requested

XDR queries could help. Generally speaking, it is hard to find this, as we "cannot" store DNS queries on a firewall due the amount of queries, the clients will generate. 

You could try to find a matching DNS packet at the "exact same time" but even this will not help you. 

This issue came up in the past years with UTM ATP as well. 

Can you see via mouse over more information about this DNS drop? 

I spent some time with the XDR Queries, could find a lot of browser related connections but no DNS requests.

2025-01-07 11:11:12 Active threat response messageid="18009" log_type="ATP" log_component="DNS" log_subtype="Alert" user="username" protocol="UDP" src_port="52472" dst_port="53" src_ip="xxx.xxx.xxx.xxx" dst_ip="Firewall-LAN-IP" url="143.204.98.125" threat="Blocklistname" threatfeed="Blocklistname" event_id="" type="Standard" host_login_user="" host_process_user="" endpoint_id="" execution_path=""

What DNS server do you use on SFOS? Not by any chance Secure DNS by Central?  

No it's not Sophos DNS currently. In that case the firewall of the remote location uses Google DNS.

No it's not Sophos DNS currently. In that case the firewall of the remote location uses Google DNS.