Controllerless Networks

Hello Community,

I've got an issue where two 515 Access points are making random ".pw" domain queries. These queries are flagged possible suspicious by our Firewall.

We have got AP 515 in other remote office location but this behavior is not observed by other Access Points. I have checked on "https://www.virustotal.com/"  and URLs came out clean but I just want to be double sure. Did someone else here observed the same behavior?

Some of the DNS queries:

http://sa-north-1.clearnet.pw/
mci.clearnet.pw
lax.clearnet.pw

Thanks in advance for your time and valuable input.

If you have a guest network and the traffic is being natted out of that IAP (virtual controller assigned VLAN), the dns traffic could be coming from a guest on your guest network, but seem like it is coming from that access point.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Aug 12, 2022 11:43 AM
From: Bhavik Chaudhari
Subject: AP 515 making random ".pw" domain queries

Hello Community,

I've got an issue where two 515 Access points are making random ".pw" domain queries. These queries are flagged possible suspicious by our Firewall.

We have got AP 515 in other remote office location but this behavior is not observed by other Access Points. I have checked on "https://www.virustotal.com/"  and URLs came out clean but I just want to be double sure. Did someone else here observed the same behavior?

Some of the DNS queries:

http://sa-north-1.clearnet.pw/
mci.clearnet.pw
lax.clearnet.pw

Thanks in advance for your time and valuable input.

I have seen some notes regarding this. It seems that when you are using the default NTP server for the AP's, they can pull these DNS names via CNAME records.  These usually end up coming through via pool.ntp.org. Using your own NTP server or perhaps time.nist.gov, etc, these issues should stop.

If your NTP server is blank in your config, pop something else in there.
Original Message:
Sent: Aug 12, 2022 11:43 AM
From: Bhavik Chaudhari
Subject: AP 515 making random ".pw" domain queries

Hello Community,

I've got an issue where two 515 Access points are making random ".pw" domain queries. These queries are flagged possible suspicious by our Firewall.

We have got AP 515 in other remote office location but this behavior is not observed by other Access Points. I have checked on "https://www.virustotal.com/"  and URLs came out clean but I just want to be double sure. Did someone else here observed the same behavior?

Some of the DNS queries:

http://sa-north-1.clearnet.pw/
mci.clearnet.pw
lax.clearnet.pw

Thanks in advance for your time and valuable input.