Hey guys, I have noticed some really weird DNS TXT queries coming off my network. Has anyone seen this like before? To me it looks almost as some kind of exfiltration attack, would be glad if someone can explain this behaviour to me.
All those requests are for domains *.sophosxl.net, suggesting they may have been issued by Sophos antivirus/security software on your VJ-DESKTOP.lan.
If they are, those may be RFC 5782 requests for DNS black- and whitelists.
This is just a guess, though.
For a definite statement, it may be a good idea to enquire with Sophos support for details.
The source appears to be Sophos software running on that client.
I have similar traffic from 3 macs in my network which have Sophos Home installed. It is required. In order to be safe, I put these domains on the whitelist, all required by Sophos software:
| * | .sophosupd.com |
|---|---|
| * | .sophosupd.net |
| * | .sophosxl.net |
| * | .sophos.com |
The screenshot shown in the first post here does not indicate that these queries were blocked. They just don't exist.
1 Like
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.