FYI had an employee report thousands of DNS querie...
# kolidet
Travis
07/27/2021, 11:14 PMFYI had an employee report thousands of DNS queries from his laptop via Piehole DNS going to comparative-mollusk-y0a4rcrnmuyekxc7u0ajsvh7.herokudns.com, made him suspicious and traced it back to Kolide launcher
s
seph
07/28/2021, 10:44 AM
Our SaaS is hosted on heroku. So that part seems reasonable.
seph
07/28/2021, 10:45 AM
But thousands sounds excessive. Do you know if these were blocked, and retrying? Or what the time period is?
seph
07/28/2021, 1:13 PM
https://help.kolide.com/en/articles/4252704-kolide-agent-to-servers-connectivity may be helpful, though it doesn’t say much else.
t
Travis
07/28/2021, 4:37 PMTime period was yesterday, probably a retry loop
Travis
07/28/2021, 4:38 PMactually he said "At least 2x per minute and pihole was letting them through"
s
seph
07/28/2021, 5:21 PM
The kolide endpoint agent is configured to request various configuration and live queries fairly often. Depending on various things, this might be as often as 2x minute.
I’m not sure how DNS cache, and the pihole all come into play though.
seph
07/28/2021, 5:22 PM
If you had a host configured to send all dns requests to a pihole, I imagine you’d see something like that.
👍 1
13 Views