cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Timing DNS requests to avqs.mcafee.com

I work for a military branch maintaining all the public DNS servers world-wide.   All our recursive servers world-wide get hit with massive DNS spikes all at the same moment all over the world.  A typical server can go from 900 queries per second to 30,000 in these spikes.   All the requests are in the form of:

0.19-20000000.800.177a.1022.2fc9.214.0.13gq18rhc9a1ev6klm95ffmqtv.avqs.mcafee.com   

etc.

From what I understand, this has to do with the web gateway product and file reputation query.  Apparently this is set somewhere in Universal (Zulu) time as it hits servers all over the planet at the same moment.  I don't have access to Active Directory domain controllers so can someone tell me how this is configured and how it can possibly be configured to use local time rather than Universal time and possibly be set individually by controller?    These large spikes trigger DDOS protections are and causing problems in our network.

 

thank you.

4 Replies
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 5

Re: Timing DNS requests to avqs.mcafee.com


as it hits servers all over the planet at the same moment. 

it doesn't look for me as these DNS requests coming from the MWG, rather from ePO or other reporting solution or script that checks web/file reputation in batches. Can you correlate these spikes with times when reports are running?

Highlighted

Re: Timing DNS requests to avqs.mcafee.com

They appear to be coming from the Global Threat Intelligence.   I see there is a proxy server that can be set up so the clients don't go to the DNS server directly, but there is no indication whether the proxy server condenses the queries and stores the answer to prevent further queries, or whether it just relays the same repeated requests.   Does anyone know? 

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Timing DNS requests to avqs.mcafee.com

Hi,

 

Hope you are doing well.

 

Configuration->Appliance->Proxies->DNS Settings

 

Minimum TTL for DNS Cache=> 1 seconds

 

Maximum TTL for DNS Cache=> 3600 seconds

 

If MWG does a DNS query and gets a DNS response with TTL value in it it will cache the DNS response for that time.

 

Also in MWG DNS configuration by default minimum and maximum TTL value is their.

 

Was my reply helpful? If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
 
 
Regards
Alok Sarda
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: Timing DNS requests to avqs.mcafee.com

McAfee Web Gateway primarily uses tunnel.web.trustedsource.org for its GTI needs and it does so per client request, not in batches.

 

These requests belong to a different product vertical.

Check the link below, it might offer some pointers.

https://kc.mcafee.com/corporate/index?page=content&id=KB53782

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community