Open Bug 1345547 Opened 4 years ago Updated 2 years ago
Firefox homepage communicates with URLs that are blocked by Cisco Firepower as DNS Malware
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Build ID: 20170302120751 Steps to reproduce: When Firefox is behind a firewall protected by Cisco Firepower, certain resources may be falsely categorized during Firefox startup. As shown in the description and attached CSV, connections to Cloudfront and Mozilla are categorized as DNS malware. Mozilla and Cisco Talos should discuss methods of preventing this behavior. As a workaround, Firepower administrators can manually add the Cloudfront subdomain to the DNS policy whitelist. However, this change will be temporary as Cloudfront subdomains may change. This was identified with Firefox 52. The home page is the default Mozilla start page. Actual results: 2017-03-08 12:09:28 Domain Not Found DNS Block 10.X.X.68 172.X.X.44 DNS Malware 58932 / udp 53 (domain) / udp d6wjo2hisqfy2.cloudfront.net 2017-03-08 12:09:28 Domain Not Found DNS Block 10.X.X.68 172.X.X.44 DNS Malware 60760 / udp 53 (domain) / udp normandy-cloudfront.cdn.mozilla.net 2017-03-08 12:09:28 Domain Not Found DNS Block 172.X.X.44 208.X.X.222 DNS Malware 65447 / udp 53 (domain) / udp normandy-cloudfront.cdn.mozilla.net 2017-03-08 12:09:28 Domain Not Found DNS Block 172.X.X.44 208.X.X.222 DNS Malware 64667 / udp 53 (domain) / udp d6wjo2hisqfy2.cloudfront.net Expected results: These connections should not be classified as malware.
wrong person for needinfo
Flags: needinfo?(dthorn) → needinfo?(techitw.wp)
I see a needinfo flag. This is my first time reporting a bug here. What else can I provide?
Dan, have custom rules been added to Cisco Firepower? Do all requests to cloudfront, e.g. by websites, get blocked?
(In reply to Sebastian Hengst [:aryx][:archaeopteryx] (needinfo on intermittent or backout) from comment #3) > Dan, have custom rules been added to Cisco Firepower? > Do all requests to cloudfront, e.g. by websites, get blocked? Sebastian, there are no custom rules in this testing environment (monitor-only). I have seen this occur in my other live deployments, but I haven't been able to pinpoint the connections until now. In a Firepower DNS policy, there are Cisco-provided categories. Some that I've had issues with include DNS Malware, DNS CNC (Command and Control), and DNS DGA (Domain Generation Algorithm). Firepower uses several criteria to determine the reputation of a domain. These could include factors such as domain age, since new domains are considered risky; or domain/subdomain name, as long or seemingly random names are typical of DGA and malware distributors. Not all Cloudfront connections are blocked. For example, this site (d2pj9rkatqbt38.cloudfront.net, redirects to truste.com) is allowed. I do not know any information about this particular domain and why it's allowed but the connection in the bug description is not. Let me know if there is more information that I can provide.
Patrick, could you give your opinion or your help about this issue, please.
this is not a core issue. A middlebox is preventing you from using the Internet - I would take it up with the middlebox or get a new one.
Component: Networking: HTTP → Desktop
Product: Core → Tech Evangelism
Version: 52 Branch → unspecified
(In reply to Patrick McManus [:mcmanus] from comment #6) > this is not a core issue. A middlebox is preventing you from using the > Internet - I would take it up with the middlebox or get a new one. Patrick, let me clarify the issue. These DNS requests are not required for a Firefox user to access the internet. This may be some form of Firefox automatic connection. Perhaps something from this list? https://support.mozilla.org/t5/Protect-your-privacy/How-to-stop-Firefox-from-making-automatic-connections/ta-p/1748 I do not know what content utilizes the links in this bug, but I think it would be beneficial for Mozilla to establish a reliable way to communicate with these servers. Firepower is the intrusion prevention platform owned by Cisco, the world's largest networking vendor (per Wikipedia, anyway).
Perhaps this has some relation to MDN/BrowserCompat? https://wiki.mozilla.org/MDN/Development/CompatibilityTables/Infrastructure
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.