【NGAF】APT logs recorded the blacklisted IP
Issue Description
Blacklisted IP address still recorded and shows in APT logs.
Handling Process
This is a normal phenomenon. When the PC access the domain name of the blacklist IP, PC will send DNS packet to DNS server to resolve the domain name to get the IP. This DNS packet does not contain the blacklist IP only contains a domain name, PC IP, and destination DNS server IP. When the packet reaches the Firewall, the Firewall will record down this domain name in the APT logs. When the DNS server replies the DNS packet contains the blacklist IP, the packet will be drop. Therefore, the APT logs will record down which PC try to resolve the domain name of blacklisted IP but when the PC connect to the blacklist IP, it will be drop.
Root Cause
Usually, the Firewall will drop the packet which contains blacklisted IP. When PC tries to resolve the domain name, the packet does not contain blacklisted IP, therefore, APT logs will record down which PC try to resolve the domain name.