MX - Suspicious .win dns query

Here to help

MX - Suspicious .win dns query


Not sure if this is something we should worry about:

Suspicious .win dns query

I have looked at local  DNS(logs enabled) and I don't even see .win queries in the logs. 


9 Replies 9
Meraki Employee
Meraki Employee


This Security rule alerts on DNS queries to .win domains - those are commonly used to try and spoof legitimate websites and trick users into thinking they are the original sites.

From experience it would likely not be something to worry about but it would highly depend on what is the exact source of this query, if it's internal or external and whether you are able to tell what device is behind the source address.  


Thanks, I dont see any ".win" request in my local DNS logs so it seems like its external.  Since we use MX is there any way to check these queries in the log and see what device requests it? 

Go into Organization - Security Center.  Depending on when and how frequent it happen the event may show up under 'Most Prevalent Threats' or 'Threats Across Networks' you can click on it and filter for just that event.  Alternatively you filter for 'snort_rule: 1-44077'.  Once that is filtered you can click on the 'MX Events' tab and that will show you source, destination, network and you can also the pcap if you click on event name under the 'Details' column.

Here to help

thanks, I see them now:

my DNS1 or DNS2 to ISP DNS (set up on local DNS servers 1&2) and I see them a lot. I have installed Sysmon on both DC/DNS1&2 but I don't see any .win query.


I have looked through Sysmon logs -22- DNS and don't see anything related to .win on both servers. Just see a bunch of Windows update links to Microsoft so I am not sure if this is false or this real. 

Seeing ".win" would be likely related to Windows updates, ".win" is often associated with Windows backup files.

Thank you Malwina,

That is exactly what I see in my local DNSs servers. A lot sites related to so I believe these are a false alarm. Can I whitelist them? I would prefer not to disable them, but whitelist somehow. 


There is indeed a possibility to Allowlist these in the Dashboard.
Did you have a chance to look into our documentation on this?
If not, give it a go, I believe it could be helpful 🙂

We run 18.107.2 firmware so I believe we should be runing snort 3. 

Get notified when there are additional replies to this discussion.