Google DNS 8.8.8.8, 8.8.4.4 auto-blocked

Any idea why Google DNS servers
8.8.8.8
8.8.4.4
would show up on the Blocked Sites list?

Triggering source is device, Reason is Port scan attack.

I discovered this after complaints about slow web browsing. I started monitoring while these IP addresses were blocked but I couldn't see any traffic coming from these IPs. Oddly, the expiration timer kept resetting to 20 min after a few seconds, indicating there was new traffic triggering the auto-block.

I ended up manually deleting and they haven't shown back up yet.

Comments

  • Hello,

    check the machines connected machines well, this could indicate a type of Malware / virus infection.

    Hello

  • Looks like similar issue reported here in Aug 2020 after upgrading to 12.6.2. The device I had this issue on is running 12.5.8 BTW.

    https://community.watchguard.com/watchguard-community/discussion/comment/4641#Comment_4641

    Bug?

  • Firewall model you use?

  • You can always add these DNS server IP addrs to the Blocked Sites Exceptions list, which will prevent them ending up on the Blocked Sites list - for whatever reason.

  • This is an M300.

    Right, just wondering how they got there to begin with. It's also odd that they never timed out. The Firebox showing a port scan attack coming from a Google DNS server seems erroneous.

  • There are a number of possibilities. Here are 2:

    1) the UDP timeout is 15 secs. If for some reason, Google DNS server responses get delayed beyond the 15 secs, then they will be dropped as unhandled external packets. If there are too many of them during a given time period, then one could get the Port scan attack denies as the dest port appears to be random as they are actually reply packets.

    2) some site decided to send some spoofed DNS packets to Google servers with a public IP addr being yours. There are a number of denial of service attacks which do this.

  • edited October 2021

    Makes sense. But they should expire from the blocked sites list once packets were no longer being received. Which leads me to believe there's an issue with the Fireware OS. In any event I'll keep an eye on it and see if it happens again. Thanks

Sign In to comment.