Reply

BloxOne Endpoint - DNS Resolution Issue

New Member
Posts: 1
693     0

First off, I hope I'm posting this in the correct channel. 

I'm hoping someone can give me a little clarity on the importance of amiawesome.ibrc. 
While inspecting suspicious traffic, I came across DNS queries from our endpoints to this domain: amiawesome.ibrc
I now understand that this domain is used in the Corefile.4 & Corefile.6 config files. I also see the following behavior:

 

When off corporate network - nslookup resolves amiawesome.ibrc to 127.0.0.1

When on corporate network - nslookup fails to resolve the domain. 

 

I'm guessing this is used in determining if the endpoint is on/off the corp network. Please correct me to the actual usage if I'm incorrect.

 

Now the issue: Users who have AT&T as their home internet provider will be forced to use AT&T's DNS helper called DNS Error Assist. So running an nslookup for amiawesome.ibrc at home will query the user's AT&T DNS, AT&T will not be able to resolve it, which will then point it to their "DNS Error Assist" IP. 

So in this case, when the AT&T user is at home, amiawesome.ibrc doesn't resolve to 127.0.0.1 but rather 143.244.220.150 (the dns error landing page in this case).

 

Is this domain resolution creating a problem for the endpoint agents to know when they are on/off corp network, or is it creating some other issue? 
Screenshot 2024-08-29 104449.png

 

 

Re: BloxOne Endpoint - DNS Resolution Issue

Adviser
Posts: 54
693     0

This is likely a case for support. amiawesome.ibrc is used, I believe, as a test to see if the Endpoint agent is functional. If it is you get the IP back, if it isn't, you get a NXDOMAIN.

 

This is not the same as "corporate network detection". i.e. bypass mode which uses something else as per the docs

https://docs.infoblox.com/space/BloxOneThreatDefense/35404862/BloxOne+Endpoint+Protected+Bypass+Mode

I'm not an AT&T user so I'm guessing the "Error Assist" is a feature where AT&T redirect any unknown domain to a splash page.

 

The main way to see if AT&T feature is causing issues is for the BloxOne Threat Defense admin to check the status of the endpoint when the user is at home and see if DNS traffic is still being seen by B1 Endpoint

Showing results for 
Search instead for 
Did you mean: 

Recommended for You