Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

What are these hostnames in my network - *.griddnsd.global.sonicwall.com

BHOBHO Newbie ✭
edited July 15 in Email Security Software

I have seen the following in the network -

2.1a548b1cb6555409.griddnsd.global.sonicwall.com

2.898516ff1d0aaccd.griddnsd.global.sonicwall.com

2.6eaffc37960c522f.griddnsd.global.sonicwall.com


We do not have Sonicwall in our network. We do not use Sonicwall technology. Does anyone know what this is supposed to be?

Category: Email Security Software
Reply

Answers

  • SaravananSaravanan Moderator

    Hi @BHO,

    Thank you for visiting SonicWall Community.

    Where do you see these domains used in the network? I meant on any appliance?

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • shiprasahu93shiprasahu93 Moderator

    Hello @BHO,

    These domains are related to the GRID network used by our email security devices for IP reputation checks.

    It would help if you can let us where you see these domains.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • BHOBHO Newbie ✭

    I am seeing this on internal IPs (non-routable). It was seen on a Cisco ASA Firewall. These IPs are not seen externally so why would an email security device need continual access to it for an IP reputational check. It looks malicious.

  • SaravananSaravanan Moderator

    Hi @BHO,

    Are you using any SonicWall Email Security physical appliance or Hosted appliance along with Cisco ASA firewall on your network? The usage of these domains will have effect only when any of the SonicWall appliances are present in the network as the appliances can try to load the latest definition from these domains.

    Do you see these domains configured anywhere on the Cisco ASA firewall or on the logs section on the ASA firewall? Please let me know.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • BHOBHO Newbie ✭

    We do not have SonicWall in our network at all. The Cisco ASA Firewall does not have the hostnames in the logs. The domains are not configured in the Cisco ASA Firewall.

    If you use passive DNS, then you will see these instances. Go to Spyse for an example -

    https://spyse.com/target/domain/2.6eaffc37960c522f.griddnsd.global.sonicwall.com.

    https://spyse.com/target/domain/2.898516ff1d0aaccd.griddnsd.global.sonicwall.com

    2.1a548b1cb6555409.griddnsd.global.sonicwall.com was on my network on July 6th but not yesterday. It was resolving to this IP on July 7th 56.50.172.4 for the USPS. Most likely I will see it again.

    The hostnames do not seem benign to me. I believe that it is doing DNS Tunneling and data exfiltration. Unless someone can give me a good explanation, that is what I am going with.

    Is there anyway for SonicWall to take them down and to do an investigation into this rogue behavior?

  • BHOBHO Newbie ✭

    I confirmed again that we don't have SonicWall in our network. I have seen reports on Twitter and elsewhere of similar hostnames in networks and nobody understands why.

  • MasterRoshiMasterRoshi Moderator

    There may be another vendor or solution that is querying these domains. Can you track it down by enabling debugging on your internal DNS server or looking at the source IP of the requests if you don't have an internal DNS?

  • BHOBHO Newbie ✭

    I have checked. We do not have any vendors or a solution that is querying these domains. It was found in recursive DNS. I think we have a rogue connection to our network every so often exfiltrating data. It seems to be the only explanation.

  • BHOBHO Newbie ✭

    Is there anyway for SonicWall to take them down and to do an investigation into this rogue behavior? I assume SonicWall could take them down as they own the subdomain. I reported it to SonicWall but never heard back. It does not help that I am not a customer but this is very worrisome behavior. There is no explanation for this type of activity on our network.

  • MicahMicah admin

    Hey @BHO,

    I'm working to get an answer for you. As this is an email security domain I'm moving to the Email Security category to gain more visibility.

    Kind Regards,

    🖐️ Sr. Manager, Web and Digital, SonicWall. Say "hi" by tagging me at @micah.

  • David WDavid W SonicWall Employee

    @BHO Please check the client where you are seeing this and see if the Sonicwall antispam desktop client is installed or Zone Alarm from Checkpoint. That is most likely why you are seeing this.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • BHOBHO Newbie ✭

    We don't use or have installed anywhere on the network SonicWall Antispam desktop client or Zone Alarm from Checkpoint.

    Perhaps someone is spoofing SonicWall on the internet? Have you looked into the subdomains? Something is not right.

    For instance, take a look at 2.1a548b1cb6555409.griddnsd.global.sonicwall.com? Why was it hitting our private IP? Sometimes it is connecting to 56.50.172.4. That IP is for the USPS (United State Postal Service). Right now, that host is connected to the USPS IP. So sometimes it is there and sometimes the host is connected to where I work.

    I don't think this Grid network that is supposed to be for email security should behave like this. It shouldn't connect to things that are not email related.

    Since the subdomain is owned by SonicWall, isn't there a way for SonicWall to investigate what it is up to?

  • David WDavid W SonicWall Employee

    @BHO We do not reach out to clients using DNS.

    These would be responses to DNS requests coming to our servers.

    I would suggest a packet capture on the client IP to see what service on the computer is making the request.

    Also your firewall should never allow a DNS request in that the request did not originate from inside.

    The 2 links you provided do not give us any details about what was being connected to internally.

    griddnsd.global.sonicwall.com is used for DNS requests only nothing else and is only responding to requests being made to it.

    Is there any way you can get a packet capture on the machine in question?

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

Sign In or Register to comment.