Meraki

Community

dns.google - Event log overload

Solved
ErnstTFD
Getting noticed
‎Sep 7 2021 1:31 AM
‎Sep 7 2021 1:31 AM

dns.google - Event log overload

Hello,

 

I have enabled "Proxy Avoidance and Anonymizers" in my group policy settings. This seems to cause a problem with Google DNS.

 

I get hundreds of events logged as seen below, where dns.google is blocked by my above mentioned content filter setting. There are so many events being generated that I get "Events dropped" errors.

(An 'events dropped' entry means that there was a burst of events in a short period of time, and that some were not recorded because of memory and bandwidth constraints on the security appliance.)

 

Is there a way to stop this from occurring? Should I change the DNS settings of the clients, or create a whitelist entry for Google DNS? Will this compromise my "Proxy Avoidance and Anonymizers" filter?

 

Thank you for any advice.

 

2021/09/07 10:16Content filtering blocked URL"url https://dns.google/..., server 8.8.8.8:443, category Proxy Avoidance and Anonymizers"
2021/09/07 10:15Content filtering blocked URL"url https://dns.google/..., server 8.8.4.4:443, category Proxy Avoidance and Anonymizers"
2021/09/07 10:15Events dropped"42 events were not logged. <i class='asx_p fa fa-info-circle auto_hohelp events_dropped' alt='[Help]' />"
2021/09/07 10:13Content filtering blocked URL"url https://dns.google/..., server 8.8.4.4:443, category Proxy Avoidance and Anonymizers"
2021/09/07 10:13Content filtering blocked URL"url https://dns.google/..., server 8.8.8.8:443, category Proxy Avoidance and Anonymizers"
1 Accepted Solution
ErnstTFD
Getting noticed
‎Sep 10 2021 2:26 AM
‎Sep 10 2021 2:26 AM

As I didn't really end up finding a workable solution, I was forced to disable "Sercure DNS" on all my users' Chrome browsers. This is the only thing that I found, that works.

View solution in original post

6 Replies 6
ww
Kind of a big deal
Kind of a big deal
‎Sep 7 2021 2:40 AM
‎Sep 7 2021 2:40 AM

I guess this is DOH that is configured  in Chrome by default now.

 

You could try whitelist that url. Then make a fw rule to block 8.8.4.4:433 & 8.8.8.8:443.

 

In response to ww
ErnstTFD
Getting noticed
‎Sep 7 2021 11:18 PM
‎Sep 7 2021 11:18 PM

Thank you. I will give it a try when my users aren't busy as I don't want to risk interrupting service. Will give feedback on how it went.

0 Kudos
In response to ww
ErnstTFD
Getting noticed
‎Sep 9 2021 7:27 AM
‎Sep 9 2021 7:27 AM

So if I whitelist dns.google, the filters stop working. Further, blocking 8.8.8.8:443 and 8.8.4.4:443, in the layer 3 firewall does not have any effect, so the event log is still overloaded with too many log entries.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 7 2021 3:15 AM
‎Sep 7 2021 3:15 AM

Understand this is Chrome trying to 'Anonymize' a user's browsing by hiding DNS queries inside of HTTPS like looking requests.

In response to PhilipDAth
ErnstTFD
Getting noticed
‎Sep 7 2021 11:20 PM
‎Sep 7 2021 11:20 PM

This makes sense. One of our reasons for moving to Cisco Meraki was that our previous D-Link firewall was failing to block anything with the Chrome browser. Now I understand why.

0 Kudos
ErnstTFD
Getting noticed
‎Sep 10 2021 2:26 AM
‎Sep 10 2021 2:26 AM

As I didn't really end up finding a workable solution, I was forced to disable "Sercure DNS" on all my users' Chrome browsers. This is the only thing that I found, that works.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.