Clarification on FW box pinging/checking blocked domains
Hey all,
Real quick question for the u/firewalla team, I have some target lists speciflcally blocking certain domains, like IP/Domains in the SIlent/Black RAT malware or threat domains (like sfrclak[.]com or gmzdaily[.]com etc), however I've noticed in NextDNS (which logs all DNS traffic) these domains are being called from my WAN IP - ie. my FW box), if I check my FW Flow logs there is NO devices calling these domains, nothing shows. Nothing else has access to my NextDNS, only traffic through the FW (NextDNS setup over DoH on the LAN side - not WAN DNS on FW).
So my question is, does FW ping these domains periodically to check for their IP (or/and other info), and if so, what security risks does this pose when it comes to exposing a users WAN IP address to these endpoints (for example a malicious RAT endpoint could gain users IP addresses for targetting).
Just need some clarification on if this is normal behaviour and any security concerns.
(attached images of FW target list, NextDNS Logs, FW Flows)
Does this make sense?
