Non-existent hostnames being shown in the Firewall Event Log

firewall
#1

I’ve just noticed a nonexistent hostname being shown in the Firewall Event Log of a site I manage.

All requests are addressed to the vs1. subdomain, but this record never existed in the DNS settings.


First occurrence

  • Ray ID: 4d72022c58ee9965
  • Time: May 15, 2019 03:26:06 UTC
  • Data Center: Los Angeles, United States (LAX)
  • URI: /_verify_?id=xJoYLSVk&pid=jBawSBGbJJWPSbjZKvBpAfVbNHeZCAjVSWOUTmGscsesViQgTKLiJPozBQcymayeyzzoOLGrZfwoVgdplnYqCZZFWitjgGeIPbueHmfYlfGnfqJcIpaMSjeJUbDiVeBdUwBNCbqGQvEPDpZdADJwtCJNWDtfhYrZzzAUHgjGhrWcgEeZaJVv
  • Type: Firewall Rule
  • User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; MALCJS; rv:11.0) like Gecko
  • IP Address: 171.36.133.150
  • Country: CN

IP addresses


UA strings

  • Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; MALCJS; rv:11.0) like Gecko

How could this be logged? Shouldn’t non-existing hostnames respond as NXDOMAIN?

#2

Registered IPs requesting vs1. subdomain are all from China and almost never repeated.

More samples from today:

I opened a support ticket on this strange behavior and will update the topic when I receive a reply.

1 Like
#3

Support team response

After reviewing this issue, the reason you were seeing non-existent hostnames is due to the logic of logging firewall events.

Currently, the “Host” field is obtained from the Host header of the blocked request directly.

So if I send the request as below:

curl -sv 'https://www.example.com/' -H "Host: vs1.example.com"

The request itself is valid and will resolve, but if the request is blocked for any reason, the modified “Host” field will appear in your logs.

Hope this clarifies the confusion.


Qia, Technical Support Engineer


Sharing so others can benefit from the answer. :slight_smile:

3 Likes