Hello,
we've experienced an increased load of our DNS servers ever since we updated our gateway to version 10.6.1-4 (now we're running 10.6.2-3), which introduced the "URL reputation lookup" feature. The DNS servers seem to be overloaded with (seemingly) unneccessary queries along the lines of:
20-Oct-2016 15:03:04.401 client 131.XXXXXX#55374: view internal: query: 27dd3f41eb4XXXXXe24e14e756bd5.smg.ultra.brightmail.com IN TXT +ED (192.XXXXX)
20-Oct-2016 15:03:04.445 client 131.XXXXXX#52635: view internal: query: dff7cebdbcXXXXXXX3f96b34cf328.smg.ultra.brightmail.com IN TXT +ED (192.XXXXX)
My question is, is this intended? What are those hash values in front of the ".smg.ultra.brightmail.com"?
If it's working as intended, would it be possible to disable this feature on for example only 2 scanners via cmd line? We're running a hybrid environment and scanning of internal communicaton for URLs isn't really needed.
Also - is the "URL reputation lookup" feature adding a significant value? I've checked the https://support.symantec.com/en_US/article.TECH234173.html article and it says "Unchecking this option will not significantly decrease anti-spam effectiveness over prior releases" but I'm not sure what exactly does it mean. I'm asking this to find out if it might be justifiable for us to set up a dedicated DNS server only for the gateway to use (so the high load wouldn't matter).
Looking forward to any answers :)
Best regards,
Václav Měch