https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-trap-always-shows-same-domain/m-p/161664#M28648 <P>I run into a post somewhere (can't remember exactly where) that said that a cpstop;cpstart on SMS could resolve the issue.</P><P>Today we performed a hotfix installation on our SMS and currently we aren't facing the issue with the DNS trap.</P><P>Lets hope it fixed it!</P> Wed, 09 Nov 2022 11:19:34 GMT kadar2 2022-11-09T11:19:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-trap-always-shows-same-domain/m-p/160818#M28383 <P>Hello all,</P><P>&nbsp;</P><P>A few weeks ago, a suspicious communication towards the domain “4s.pm” was identified by Anti-Virus blade and DNS trap was successfully enforced.</P><P>Since then, what we notice and we can not explain is the fact that if we search for “DNS Trap” <STRONG>all the results</STRONG> refer as destination “4s.pm” (screenshot 1). This is weird and most possibly false because if we randomly open one of these logs (Screenshot 2), in the forensics section the actual domain is referred and it is not “4s.pm”.</P><P>Can somebody help us understand the behavior?</P> Mon, 31 Oct 2022 12:08:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-trap-always-shows-same-domain/m-p/160818#M28383 kadar2 2022-10-31T12:08:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-trap-always-shows-same-domain/m-p/160830#M28387 <P>Refer to how the DNS Trap works here:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk74060&amp;partition=Basic&amp;product=Anti-Virus" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk74060&amp;partition=Basic&amp;product=Anti-Virus</A><BR />The IP address listed (62.0.58.94) is the default configuration for DNS Trap and is expected behavior.</P> Mon, 31 Oct 2022 13:53:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-trap-always-shows-same-domain/m-p/160830#M28387 PhoneBoy 2022-10-31T13:53:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-trap-always-shows-same-domain/m-p/160890#M28399 <P>Hello PhoneBoy,</P><P>the question isn't related to the IP 62.0.58.94, which is the default DNS trap.</P><P>We do not have any actual traffic that is trying to reach 4s.pm (only one incident about a month ago). No DNS requests towards 4s.pm are logged in our DNS servers. So it is confusing to see this domain in the DNS trap logs. As you can see in the "screenshot2" the forensics details --&gt; resource refers to a totally different domain. So why isn't the actual domain (digitaloceans.com in our example) translated to 62.0.58.94?</P> Tue, 01 Nov 2022 07:04:11 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-trap-always-shows-same-domain/m-p/160890#M28399 kadar2 2022-11-01T07:04:11Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-trap-always-shows-same-domain/m-p/160929#M28410 <P>If you create a dummy object in your DB (example name: cp-dns-trap) for that IP does it make it clearer in the logs?</P> <P>Alternatively you can disable object resolution with Ctrl-r or change the DNS trap IP.</P> <P>Refer also:&nbsp;<A href="https://community.checkpoint.com/t5/Management/SMS-log-incorrect-name-resolution/td-p/128459" target="_blank" rel="noopener">https://community.checkpoint.com/t5/Management/SMS-log-incorrect-name-resolution/td-p/128459</A></P> Tue, 01 Nov 2022 15:36:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-trap-always-shows-same-domain/m-p/160929#M28410 Chris_Atkinson 2022-11-01T15:36:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-trap-always-shows-same-domain/m-p/161561#M28606 <P>We actually opened a TAC case and we are awaiting on feedback.</P> Tue, 08 Nov 2022 13:29:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-trap-always-shows-same-domain/m-p/161561#M28606 kadar2 2022-11-08T13:29:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-trap-always-shows-same-domain/m-p/161581#M28614 <P>&nbsp;</P> <P>You can also try adjusting the DNS cache, but that's probably the extent of it.</P> <P><A href="https://community.checkpoint.com/t5/Management/SMS-log-incorrect-name-resolution/td-p/128459#M31568" target="_blank">https://community.checkpoint.com/t5/Management/SMS-log-incorrect-name-resolution/td-p/128459#M31568</A></P> Tue, 08 Nov 2022 13:57:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-trap-always-shows-same-domain/m-p/161581#M28614 Chris_Atkinson 2022-11-08T13:57:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-trap-always-shows-same-domain/m-p/161664#M28648 <P>I run into a post somewhere (can't remember exactly where) that said that a cpstop;cpstart on SMS could resolve the issue.</P><P>Today we performed a hotfix installation on our SMS and currently we aren't facing the issue with the DNS trap.</P><P>Lets hope it fixed it!</P> Wed, 09 Nov 2022 11:19:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-trap-always-shows-same-domain/m-p/161664#M28648 kadar2 2022-11-09T11:19:34Z