Title
#kolide
t

Travis

07/27/2021, 11:14 PM
FYI had an employee report thousands of DNS queries from his laptop via Piehole DNS going to comparative-mollusk-y0a4rcrnmuyekxc7u0ajsvh7.herokudns.com, made him suspicious and traced it back to Kolide launcher
s

seph

07/28/2021, 10:44 AM
Our SaaS is hosted on heroku. So that part seems reasonable.
10:45 AM
But thousands sounds excessive. Do you know if these were blocked, and retrying? Or what the time period is?
1:13 PM
t

Travis

07/28/2021, 4:37 PM
Time period was yesterday, probably a retry loop
4:38 PM
actually he said "At least 2x per minute and pihole was letting them through"
s

seph

07/28/2021, 5:21 PM
The kolide endpoint agent is configured to request various configuration and live queries fairly often. Depending on various things, this might be as often as 2x minute. I’m not sure how DNS cache, and the pihole all come into play though.
5:22 PM
If you had a host configured to send all dns requests to a pihole, I imagine you’d see something like that.