Non-existent hostnames being shown in the Firewall Event Log

I’ve just noticed a nonexistent hostname being shown in the Firewall Event Log of a site I manage.

All requests are addressed to the vs1. subdomain, but this record never existed in the DNS settings.

First occurrence

• Ray ID: 4d72022c58ee9965
• Time: May 15, 2019 03:26:06 UTC
• Data Center: Los Angeles, United States (LAX)
• URI: /_verify_?id=xJoYLSVk&pid=jBawSBGbJJWPSbjZKvBpAfVbNHeZCAjVSWOUTmGscsesViQgTKLiJPozBQcymayeyzzoOLGrZfwoVgdplnYqCZZFWitjgGeIPbueHmfYlfGnfqJcIpaMSjeJUbDiVeBdUwBNCbqGQvEPDpZdADJwtCJNWDtfhYrZzzAUHgjGhrWcgEeZaJVv
• Type: Firewall Rule
• User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; MALCJS; rv:11.0) like Gecko
• IP Address: 171.36.133.150
• Country: CN

IP addresses

• AS4134 - China Telecom Backbone
  • 1.85.147.152
  • 110.183.54.227
  • 119.86.99.42
  • 125.89.245.29
  • 218.19.220.70
• AS4538 - China Education and Research Network Center
  • 42.245.203.134
  • 42.245.203.139
  • 42.245.203.139
• AS4812 - China Telecom Group
  • 58.40.230.157
• AS4837 China Unicom Backbone
  • 122.96.47.186
  • 122.96.47.186
  • 123.138.98.176
  • 153.99.183.147
  • 171.36.133.150
  • `171.36.133.150
• AS9808 Guangdong Mobile Communication
  • 117.171.158.141
  • 117.183.228.78

UA strings

• Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; MALCJS; rv:11.0) like Gecko

How could this be logged? Shouldn’t non-existing hostnames respond as NXDOMAIN?

Registered IPs requesting vs1. subdomain are all from China and almost never repeated.

More samples from today:

• AS4134 - China Telecom Backbone
  • 1.85.49.28
• AS4837 - China Unicom Backbone
  • 116.136.20.209
• AS9808 - Guangdong Mobile Communication
  • 223.87.41.194
• AS38019 - Tianjin Mobile Communication
  • 117.136.55.130
• AS56040 - China Mobile Communications
  • 120.239.165.116
  • 223.74.230.128

I opened a support ticket on this strange behavior and will update the topic when I receive a reply.

Support team response

After reviewing this issue, the reason you were seeing non-existent hostnames is due to the logic of logging firewall events.

Currently, the “Host” field is obtained from the Host header of the blocked request directly.

So if I send the request as below:

curl -sv 'https://www.example.com/' -H "Host: vs1.example.com"

The request itself is valid and will resolve, but if the request is blocked for any reason, the modified “Host” field will appear in your logs.

Hope this clarifies the confusion.

---

– Qia, Technical Support Engineer

Sharing so others can benefit from the answer.

This topic was automatically closed after 30 days. New replies are no longer allowed.