Problem:

Your production system or network monitoring tools are logging a lot of DNS queries for a decommissioned host.

In System Monitor (Sysmon) logs there are frequent Event Log entries of PPExtensionService.EXE that is querying that dead host computer’ FQDN.

Like in an example screenshot below.

Cause:

The cause of the problem is a PolicyPak Browser Router (PPBR) rule that has an Item-level Targeting (ILT) filter of the decommissioned host computer.

Resolution:

Correct the ILT condition or remove the filter that is in place for that computer.