Meraki

Community

Z3C and suspicious .null dns query

tonyavk
Here to help
‎Apr 29 2025 8:39 AM
‎Apr 29 2025 8:39 AM

Z3C and suspicious .null dns query

Hello wise community!

 

I have really weird acting z3c in office. Its connected to Meraki MX100 with IDS and I see this suspicious .null dns query 

almost every day even in times when no one uses Z3 

 

tonyavk_0-1745940884771.png

 

Second weird thing about it that this two requests on a picture above looks like the same request but it blocked from Z3C but allowed from MX100 like it passes through.  

 

Any ideas what might cause this ? 

 

Labels:
0 Kudos
8 Replies 8
Mloraditch
Kind of a big deal
Kind of a big deal
‎Apr 29 2025 9:04 AM
‎Apr 29 2025 9:04 AM

Are you saying you have a Z3 behind an MX100 and of the two entries above one is sourced from the Z3 and blocked and one is from an end client and allowed?

It's possible the one is being blocked because its going to an internal server vs the internet.  Support may be able to give more insight into how the rule in question operates.

The public documentation on the rule is not super detailed: https://www.snort.org/rule_docs/1-48666

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to Mloraditch
tonyavk
Here to help
‎Apr 29 2025 9:20 AM
‎Apr 29 2025 9:20 AM

Well I suspect that this is the same request -- same moment and MX100 by itself never generates this suspicious requests. I mostly curious why z3 act like this rather then why rule are not working properly 

0 Kudos
In response to tonyavk
Mloraditch
Kind of a big deal
Kind of a big deal
‎Apr 29 2025 9:35 AM
‎Apr 29 2025 9:35 AM

If the MX100 itself generated such a request you would may not see it in the logs. I'm not sure of exactly how the inline scanning works, but I suspect it doesn't look at Control Plane traffic.

Only support could definitively answer why the Z3 is generating such a request (and if it's actually the Z3)

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 29 2025 9:28 AM
‎Apr 29 2025 9:28 AM

I suggest you open a support case, they will do a more detailed investigation.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 29 2025 2:49 PM
‎Apr 29 2025 2:49 PM

What is 10.99.99.254?

If it is a DNS relay/server (such as a Z4 or MX), then the true client is hidden.  You could get a clearer result if you changes the clients to use an external DNS like 8.8.8.8 instead and not use the DNS server.

0 Kudos
In response to PhilipDAth
tonyavk
Here to help
‎Apr 29 2025 3:16 PM
‎Apr 29 2025 3:16 PM

this is MX100. Thanks for suggestion! 

0 Kudos
RaphaelL
Kind of a big deal
Kind of a big deal
‎Apr 29 2025 4:47 PM
‎Apr 29 2025 4:47 PM

So you must be running IPS and not IDS right ? Cause IDS won't block

0 Kudos
In response to RaphaelL
tonyavk
Here to help
‎Apr 29 2025 5:40 PM
‎Apr 29 2025 5:40 PM

tonyavk_0-1745973625321.png

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.