I have seen some notes regarding this. It seems that when you are using the default NTP server for the AP's, they can pull these DNS names via CNAME records. These usually end up coming through via pool.ntp.org. Using your own NTP server or perhaps time.nist.gov, etc, these issues should stop.
If your NTP server is blank in your config, pop something else in there.
Original Message:
Sent: Aug 12, 2022 11:43 AM
From: Bhavik Chaudhari
Subject: AP 515 making random ".pw" domain queries
Hello Community,
I've got an issue where two 515 Access points are making random ".pw" domain queries. These queries are flagged possible suspicious by our Firewall.
We have got AP 515 in other remote office location but this behavior is not observed by other Access Points. I have checked on "https://www.virustotal.com/" and URLs came out clean but I just want to be double sure. Did someone else here observed the same behavior?
Some of the DNS queries:
http://sa-north-1.clearnet.pw/
mci.clearnet.pw
lax.clearnet.pw
Thanks in advance for your time and valuable input.