KB Article | Forcepoint Support

Notes & Warnings

Note An unknown host is an error message that generates when a destination computer or host server name cannot be resolved. The message indicates that the user's provided host server name does not exist or match any Domain Name System (DNS) records.

If you have intermittent issues with page not loading or unknown host messages see Intermittent issues with pages not loading properly or “unknown host” messages.

Problem Description

Why does the Content Gateway error.log show multiple 'Unknown Host' failures when users have not been browsing sites?
 
“RESPONSE: sent <IP-address> status 504 (Unknown Host) for 'http://trust-service.cn/trust/1488/gate.php'
RESPONSE: sent <IP-address> status 504 (Unknown Host) for 'http://trust-service.cn/trust/1488/config.bin'
RESPONSE: sent 127.0.0.1 status 504 (Unknown Host) for 'http://88 CON 185/'”
 
This amounts to a considerable amount of traffic.

Resolution

Checking if the connection is potentially a security risk:

Check the client machines generating the traffic with an anti-virus solution for botnet clients.

The ''http://trust-service.cn/trust/1488/config.bin' example represents a Zeus botnet client; however, many other URLs can be seen.  ZeuS (Zeus (malware)) is a common crimeware kit used for various attacks. 

Other botnets may be found rather than ZeuS, please investigate the URL in question to find if legitimate or malicious.
 

If found to be a legitimate connection:

The following is specific for example error:

“ RESPONSE: sent 127.0.0.1 status 504 (Unknown Host) for 'http://88 CON 185/'”

This message results in Skype traffic or an unknown non-http protocol. MDS will decrypt this SSL traffic and send to the Content Gateway. However, the Content Gateway does not understand this traffic. In addition, since it is non-http, it does not insert MDS headers. As a result, the Content Gateway will not know the source IP address, and instead reports the traffic coming from 127.0.0.1.
 
Skype and other specific applications as well as websites are called out on Websites that have difficulty transiting Content Gateway with instructions for resolving the connection issue.
To resolve a legitimate connection, there are two methods to take, being tunnel unknown protocols, or if the connection is for an HTTPS destination, placing as an SSL Incident.

To Enable tunnel unknown protocols:

  • Forcepoint Software versions 7.6-8.5:
  1. Login to the Content Gateway manager.
  2. Click Configure > Protocols > HTTPS
  3. Ensure Tunnel unknown protocols is enabled.
 
  • Forcepoint Software versions 7.0-7.5:
  1. ssh into the Linux box with Root access
  2. Type export LD_LIBRARY_PATH=/opt/WCG/sxsuite/lib
  3. Type /opt/WCG/sxsuite/bin/oemtool profileconfig 1 tunnel_unknown_protocols yes
  4. To confirm the parameter change, type /opt/WCG/sxsuite/bin/oemtool get profileconfig 1 tunnel_unknown_protocols
  5. Restart Web Content Gateway.
 

To create a tunnel incident for HTTPS destination domains:

Important Placing a tunnel incident for a domain will bypass all users for filtering for the domain, use with caution.
  1. Login to the Content Gateway manager.
  2. Navigate to Configure > SSL > Incidents > Add a Website tab
  3. Remove https:// and enter *.domain.com where domain matches the URL being added.
  4. Select Tunnel from the far right.
  5. Press OK.






Keywords: unknown host; dns issue; could not resolve dns; http status code 504; status 504; ssl incident; tunnel; tunnel unknown protocol. 

Article Feedback



Thank you for the feedback and comments.