an unusual DNS Over HTTPS (DoH) communication with server 208.67.220.220

Phillip9ja
New here

an unusual DNS Over HTTPS (DoH) communication with server 208.67.220.220

We got an alert from our Cloud provider around a DNS over HTTPS information from one of our VMX-L

 

You have a GuardDuty Finding Type: DefenseEvasion:EC2/UnusualDoHActivity in the Region: *********

 

"Description: The EC2 instance ************* is performing an unusual DNS Over HTTPS (DoH) communication with server 208.67.220.220.."

 

 

208.67.220.220 - Cisco Open DNS 

 

Kindly Advise any information related to this info. 

 

 

5 Replies 5
Brash
Kind of a big deal
Kind of a big deal

That is the IP address of the OpenDNS/Cisco Umbrella security solution.

It's likely that either a client on your network has the Cisco Secure Connect client with Umbrella module installed, you have an integration with Cisco Umbrella on the MX or you've configured "Use Umbrella" for DNS in one of your DHCP scopes.

RaphaelL
Kind of a big deal
Kind of a big deal

I would be curious to know if you are using Umbrella. 

 

I have an open case ( from 2022... ) that all my MX450s in Concentrator mode are sourcing that type of trafic and we are not using umbrella. I wasn't able to get an answer from Meraki since then.

rhbirkelund
Kind of a big deal
Kind of a big deal

A case open since 2022, and support still won't answer? Tried getting an SE to push for an answer?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
RaphaelL
Kind of a big deal
Kind of a big deal

This is one of the lowest priority case between all our active cases (20-30). They will get there , but geting concrete answers has been a hard task lately.

Phillip9ja
New here

@RaphaelL You are probably right.

We are yet to see any evidence of Umbrella Security Solution used in our environment. 

Get notified when there are additional replies to this discussion.