This behavior is expected. When you submit a URL sample, ATD validates whether the URL string is valid before sandbox scanning. Then, the ATD back-end attempts to download the URL for later reuse. After these operations are performed, ATD passes the URL string to the sandbox VM for sandbox scanning. The browser in the sandbox VM then opens the URL.
The communication in each phase is performed using the following interface and DNS server:
- Validation and caching phase: This phase uses the MGMT port, regardless of the Malware internet Port setting. ATD uses the Preferred/Alternate DNS server to resolve the host name in the URL.
- Sandbox phase: This phase uses the Malware internet Port, which is assigned to one of the mgmt/1/2/3 ports. ATD uses Malware DNS Server to resolve the host name in the URL.
You see the DNS lookup to Preferred/Alternate DNS Server and web access from the MGMT port performed in the validation and caching phase.
