dns.google - Event log overload

Solved
ErnstTFD
Getting noticed

dns.google - Event log overload

Hello,

 

I have enabled "Proxy Avoidance and Anonymizers" in my group policy settings. This seems to cause a problem with Google DNS.

 

I get hundreds of events logged as seen below, where dns.google is blocked by my above mentioned content filter setting. There are so many events being generated that I get "Events dropped" errors.

(An 'events dropped' entry means that there was a burst of events in a short period of time, and that some were not recorded because of memory and bandwidth constraints on the security appliance.)

 

Is there a way to stop this from occurring? Should I change the DNS settings of the clients, or create a whitelist entry for Google DNS? Will this compromise my "Proxy Avoidance and Anonymizers" filter?

 

Thank you for any advice.

 

2021/09/07 10:16Content filtering blocked URL"url https://dns.google/..., server 8.8.8.8:443, category Proxy Avoidance and Anonymizers"
2021/09/07 10:15Content filtering blocked URL"url https://dns.google/..., server 8.8.4.4:443, category Proxy Avoidance and Anonymizers"
2021/09/07 10:15Events dropped"42 events were not logged. <i class='asx_p fa fa-info-circle auto_hohelp events_dropped' alt='[Help]' />"
2021/09/07 10:13Content filtering blocked URL"url https://dns.google/..., server 8.8.4.4:443, category Proxy Avoidance and Anonymizers"
2021/09/07 10:13Content filtering blocked URL"url https://dns.google/..., server 8.8.8.8:443, category Proxy Avoidance and Anonymizers"
1 Accepted Solution
ErnstTFD
Getting noticed

As I didn't really end up finding a workable solution, I was forced to disable "Sercure DNS" on all my users' Chrome browsers. This is the only thing that I found, that works.

View solution in original post

6 Replies 6
ww
Kind of a big deal
Kind of a big deal

I guess this is DOH that is configured  in Chrome by default now.

 

You could try whitelist that url. Then make a fw rule to block 8.8.4.4:433 & 8.8.8.8:443.

 

ErnstTFD
Getting noticed

Thank you. I will give it a try when my users aren't busy as I don't want to risk interrupting service. Will give feedback on how it went.

ErnstTFD
Getting noticed

So if I whitelist dns.google, the filters stop working. Further, blocking 8.8.8.8:443 and 8.8.4.4:443, in the layer 3 firewall does not have any effect, so the event log is still overloaded with too many log entries.

PhilipDAth
Kind of a big deal
Kind of a big deal

Understand this is Chrome trying to 'Anonymize' a user's browsing by hiding DNS queries inside of HTTPS like looking requests.

ErnstTFD
Getting noticed

This makes sense. One of our reasons for moving to Cisco Meraki was that our previous D-Link firewall was failing to block anything with the Chrome browser. Now I understand why.

ErnstTFD
Getting noticed

As I didn't really end up finding a workable solution, I was forced to disable "Sercure DNS" on all my users' Chrome browsers. This is the only thing that I found, that works.

Get notified when there are additional replies to this discussion.