Meraki

Community

an unusual DNS Over HTTPS (DoH) communication with server 208.67.220.220

Phillip9ja
New here
14 hours ago
14 hours ago

an unusual DNS Over HTTPS (DoH) communication with server 208.67.220.220

We got an alert from our Cloud provider around a DNS over HTTPS information from one of our VMX-L

 

You have a GuardDuty Finding Type: DefenseEvasion:EC2/UnusualDoHActivity in the Region: *********

 

"Description: The EC2 instance ************* is performing an unusual DNS Over HTTPS (DoH) communication with server 208.67.220.220.."

 

 

208.67.220.220 - Cisco Open DNS 

 

Kindly Advise any information related to this info. 

 

 

0 Kudos
2 Replies 2
Brash
Kind of a big deal
Kind of a big deal
14 hours ago
14 hours ago

That is the IP address of the OpenDNS/Cisco Umbrella security solution.

It's likely that either a client on your network has the Cisco Secure Connect client with Umbrella module installed, you have an integration with Cisco Umbrella on the MX or you've configured "Use Umbrella" for DNS in one of your DHCP scopes.

0 Kudos
RaphaelL
Kind of a big deal
Kind of a big deal
9 hours ago
9 hours ago

I would be curious to know if you are using Umbrella. 

 

I have an open case ( from 2022... ) that all my MX450s in Concentrator mode are sourcing that type of trafic and we are not using umbrella. I wasn't able to get an answer from Meraki since then.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.