Open Bug 1345547 Opened 4 years ago Updated 2 years ago

Firefox homepage communicates with URLs that are blocked by Cisco Firepower as DNS Malware

Categories

(Web Compatibility :: Desktop, defect, P5)

defect

Tracking

(Not tracked)

UNCONFIRMED

People

(Reporter: techitw.wp, Unassigned)

Details

(Keywords: webcompat:needs-contact, Whiteboard: [needscontact])

Attachments

(1 file)

588 bytes, application/vnd.ms-excel
Details
Attached file Firefox DNS Blocks.csv
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20170302120751

Steps to reproduce:

When Firefox is behind a firewall protected by Cisco Firepower, certain resources may be falsely categorized during Firefox startup. As shown in the description and attached CSV, connections to Cloudfront and Mozilla are categorized as DNS malware. Mozilla and Cisco Talos should discuss methods of preventing this behavior. As a workaround, Firepower administrators can manually add the Cloudfront subdomain to the DNS policy whitelist. However, this change will be temporary as Cloudfront subdomains may change. This was identified with Firefox 52. The home page is the default Mozilla start page. 


Actual results:

2017-03-08 12:09:28	Domain Not Found	DNS Block	10.X.X.68	172.X.X.44	DNS Malware	58932 / udp	53 (domain) / udp	d6wjo2hisqfy2.cloudfront.net
2017-03-08 12:09:28	Domain Not Found	DNS Block	10.X.X.68	172.X.X.44	DNS Malware	60760 / udp	53 (domain) / udp	normandy-cloudfront.cdn.mozilla.net
2017-03-08 12:09:28	Domain Not Found	DNS Block	172.X.X.44	208.X.X.222	DNS Malware	65447 / udp	53 (domain) / udp	normandy-cloudfront.cdn.mozilla.net
2017-03-08 12:09:28	Domain Not Found	DNS Block	172.X.X.44	208.X.X.222	DNS Malware	64667 / udp	53 (domain) / udp	d6wjo2hisqfy2.cloudfront.net




Expected results:

These connections should not be classified as malware.
wrong person for needinfo
Flags: needinfo?(dthorn) → needinfo?(techitw.wp)
I see a needinfo flag. This is my first time reporting a bug here. What else can I provide?
Flags: needinfo?(techitw.wp)
Dan, have custom rules been added to Cisco Firepower?
Do all requests to cloudfront, e.g. by websites, get blocked?
(In reply to Sebastian Hengst [:aryx][:archaeopteryx] (needinfo on intermittent or backout) from comment #3)
> Dan, have custom rules been added to Cisco Firepower?
> Do all requests to cloudfront, e.g. by websites, get blocked?

Sebastian, there are no custom rules in this testing environment (monitor-only). I have seen this occur in my other live deployments, but I haven't been able to pinpoint the connections until now.

In a Firepower DNS policy, there are Cisco-provided categories. Some that I've had issues with include DNS Malware, DNS CNC (Command and Control), and DNS DGA (Domain Generation Algorithm). Firepower uses several criteria to determine the reputation of a domain. These could include factors such as domain age, since new domains are considered risky; or domain/subdomain name, as long or seemingly random names are typical of DGA and malware distributors. 

Not all Cloudfront connections are blocked. For example, this site (d2pj9rkatqbt38.cloudfront.net, redirects to truste.com) is allowed. I do not know any information about this particular domain and why it's allowed but the connection in the bug description is not. 

Let me know if there is more information that I can provide.
Component: Untriaged → Networking: HTTP
Product: Firefox → Core
Patrick, could you give your opinion or your help about this issue, please.
Flags: needinfo?(mcmanus)
this is not a core issue. A middlebox is preventing you from using the Internet - I would take it up with the middlebox or get a new one.
Component: Networking: HTTP → Desktop
Flags: needinfo?(mcmanus)
Product: Core → Tech Evangelism
Version: 52 Branch → unspecified
(In reply to Patrick McManus [:mcmanus] from comment #6)
> this is not a core issue. A middlebox is preventing you from using the
> Internet - I would take it up with the middlebox or get a new one.

Patrick, let me clarify the issue. These DNS requests are not required for a Firefox user to access the internet. This may be some form of Firefox automatic connection. Perhaps something from this list? https://support.mozilla.org/t5/Protect-your-privacy/How-to-stop-Firefox-from-making-automatic-connections/ta-p/1748

I do not know what content utilizes the links in this bug, but I think it would be beneficial for Mozilla to establish a reliable way to communicate with these servers. Firepower is the intrusion prevention platform owned by Cisco, the world's largest networking vendor (per Wikipedia, anyway).
Perhaps this has some relation to MDN/BrowserCompat? https://wiki.mozilla.org/MDN/Development/CompatibilityTables/Infrastructure
Priority: -- → P5
Whiteboard: [needscontact]
Product: Tech Evangelism → Web Compatibility

See bug 1547409. Moving webcompat whiteboard tags to keywords.

You need to log in before you can comment on or make changes to this bug.