https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-Tunneling-IPS/m-p/122870#M56050 <P>A large number of specific types of queries will trigger the DNS Tunneling protection.<BR />Unfortunately, we do not publicly share the precise details of how we enforce this protection.</P> Sat, 03 Jul 2021 04:27:55 GMT PhoneBoy 2021-07-03T04:27:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-Tunneling-IPS/m-p/122723#M56049 <P>I understand the basics of what DNS tunneling is and have recently enabled this IPS protection in our Threat Prevention Profile. What I have been unable to find is exactly how this IPS protection actually works. What is it doing and looking for to stop a DNS tunnel?</P><P>Secondarily I would like to know how to test this but first need to know what this protection is doing in order to accomplish that.</P><P>Thank you.</P><P>Goose</P> Thu, 01 Jul 2021 13:41:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-Tunneling-IPS/m-p/122723#M56049 Goose 2021-07-01T13:41:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-Tunneling-IPS/m-p/122870#M56050 <P>A large number of specific types of queries will trigger the DNS Tunneling protection.<BR />Unfortunately, we do not publicly share the precise details of how we enforce this protection.</P> Sat, 03 Jul 2021 04:27:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-Tunneling-IPS/m-p/122870#M56050 PhoneBoy 2021-07-03T04:27:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-Tunneling-IPS/m-p/122881#M56051 <P>I understand and that makes some sense. Can you point me toward and one particular way that I could test that it is indeed working? I recall seeing in one post (granted it was a particular upgrade scenario) that it was not working. I would just like to be able to trigger and verify. Thank you.</P> Sat, 03 Jul 2021 14:02:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-Tunneling-IPS/m-p/122881#M56051 Goose 2021-07-03T14:02:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-Tunneling-IPS/m-p/122882#M56052 <P>Nothing I can share publicly.<BR />Recommend reaching out to your local Check Point SE.</P> Sat, 03 Jul 2021 15:30:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-Tunneling-IPS/m-p/122882#M56052 PhoneBoy 2021-07-03T15:30:57Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-Tunneling-IPS/m-p/122906#M56053 <P>You can try dns2tcp tool in Kali Linux to test it: <A href="https://tools.kali.org/maintaining-access/dns2tcp" target="_blank">https://tools.kali.org/maintaining-access/dns2tcp</A></P> <P>I am not sure how many packets it should see to be triggered though.</P> Sun, 04 Jul 2021 12:35:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-Tunneling-IPS/m-p/122906#M56053 Vladimir 2021-07-04T12:35:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-Tunneling-IPS/m-p/122909#M56054 <P>Thank you Vladimir. I will try and let you know.&nbsp;</P> Sun, 04 Jul 2021 13:29:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-Tunneling-IPS/m-p/122909#M56054 Goose 2021-07-04T13:29:27Z