- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dns.google - Event log overload
Hello,
I have enabled "Proxy Avoidance and Anonymizers" in my group policy settings. This seems to cause a problem with Google DNS.
I get hundreds of events logged as seen below, where dns.google is blocked by my above mentioned content filter setting. There are so many events being generated that I get "Events dropped" errors.
(An 'events dropped' entry means that there was a burst of events in a short period of time, and that some were not recorded because of memory and bandwidth constraints on the security appliance.)
Is there a way to stop this from occurring? Should I change the DNS settings of the clients, or create a whitelist entry for Google DNS? Will this compromise my "Proxy Avoidance and Anonymizers" filter?
Thank you for any advice.
2021/09/07 10:16 | Content filtering blocked URL | "url https://dns.google/..., server 8.8.8.8:443, category Proxy Avoidance and Anonymizers" |
2021/09/07 10:15 | Content filtering blocked URL | "url https://dns.google/..., server 8.8.4.4:443, category Proxy Avoidance and Anonymizers" |
2021/09/07 10:15 | Events dropped | "42 events were not logged. <i class='asx_p fa fa-info-circle auto_hohelp events_dropped' alt='[Help]' />" |
2021/09/07 10:13 | Content filtering blocked URL | "url https://dns.google/..., server 8.8.4.4:443, category Proxy Avoidance and Anonymizers" |
2021/09/07 10:13 | Content filtering blocked URL | "url https://dns.google/..., server 8.8.8.8:443, category Proxy Avoidance and Anonymizers" |
Solved! Go to solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I didn't really end up finding a workable solution, I was forced to disable "Sercure DNS" on all my users' Chrome browsers. This is the only thing that I found, that works.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess this is DOH that is configured in Chrome by default now.
You could try whitelist that url. Then make a fw rule to block 8.8.4.4:433 & 8.8.8.8:443.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. I will give it a try when my users aren't busy as I don't want to risk interrupting service. Will give feedback on how it went.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So if I whitelist dns.google, the filters stop working. Further, blocking 8.8.8.8:443 and 8.8.4.4:443, in the layer 3 firewall does not have any effect, so the event log is still overloaded with too many log entries.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Understand this is Chrome trying to 'Anonymize' a user's browsing by hiding DNS queries inside of HTTPS like looking requests.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This makes sense. One of our reasons for moving to Cisco Meraki was that our previous D-Link firewall was failing to block anything with the Chrome browser. Now I understand why.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I didn't really end up finding a workable solution, I was forced to disable "Sercure DNS" on all my users' Chrome browsers. This is the only thing that I found, that works.