Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
t
Travis
07/27/2021, 11:14 PMFYI had an employee report thousands of DNS queries from his laptop via Piehole DNS going to comparative-mollusk-y0a4rcrnmuyekxc7u0ajsvh7.herokudns.com, made him suspicious and traced it back to Kolide launcher
s
seph
07/28/2021, 10:44 AMOur SaaS is hosted on heroku. So that part seems reasonable.
But thousands sounds excessive. Do you know if these were blocked, and retrying? Or what the time period is?
https://help.kolide.com/en/articles/4252704-kolide-agent-to-servers-connectivity may be helpful, though it doesn’t say much else.
t
Travis
07/28/2021, 4:37 PMTime period was yesterday, probably a retry loop
actually he said "At least 2x per minute and pihole was letting them through"
s
seph
07/28/2021, 5:21 PMThe kolide endpoint agent is configured to request various configuration and live queries fairly often. Depending on various things, this might be as often as 2x minute.
I’m not sure how DNS cache, and the pihole all come into play though.
If you had a host configured to send all dns requests to a pihole, I imagine you’d see something like that.
👍 1