topic Re: Malicious DNS queries to DNS server in Endpoint

Malicious DNS queries to DNS server

harshnagar — Thu, 14 Aug 2025 15:31:14 GMT

Hello Team,

Recently we have integrated Checkpoint Firewall with our Qradar SIEM for SOC Monitoring Prospective. So during our SIEM Monitoring we noticed that we are getting events related to DNS queries made to Malicious Domains to our DNS server, but we are not able to track the origin of this request from which machine the DNS queries are made below is the sample Payload for your reference:

src/scope ip = 172.18.134.166 (DNS Server)

origin = 172.18.135.128 (Firewall IP)

LEEF:2.0|Check Point|New Anti Virus|1.0|Prevent|devTime=1752364685 srcPort=51511 srcBytes=75096 dstBytes=69916 url=dwell-exclaim.biz dwell-exclaim.biz dwell-exclaim.biz dwell-exclaim.biz dwell-exclaim.biz signature=Generic.TC.893cvpFR malware=Generic policyName=MB-PERIMETER cat=New Anti Virus sev=5 action=Prevent ifdir=outbound ifname=eth1 loguid={0x220fc418,0x8fd522ad,0xcaa1cce8,0xc9cc5a22} origin=172.18.135.128 originsicname=CN\=MB-PERIMETER-FW-2,O\=MIN-Test-MGMT..x2yup5 sequencenum=5 version=5 confidence_level=5 description=DNS response was replaced with a DNS trap bogus IP. See sk74060 for more information. dns_message_type=Query dst=37.209.192.13 lastupdatetime=1752366010 log_id=2 malware_action=DNS query for a site known to contain malware malware_rule_id={C3D9A814-BCC8-994D-8E3B-0C0A48C7A0F8} policy_time=1752262987 protection_id=00453B448 protection_type=DNS reputation proto=17 question_rdata=A:www.dwell-exclaim.biz scope=172.18.134.166 service=53 session_id={0x6872f68d,0x22,0x7290a0f1,0xe06837e8} smartdefense_profile=Recommended_Profile src=172.18.134.166 suppressed_logs=278 tid=8142 layer_name=PM-PERIMETER Threat Prevention layer_name=PB-PERIMETER Threat Prevention layer_name=PB-PERIMETER Threat Prevention layer_name=PB-PERIMETER Threat Prevention layer_name=PB-PERIMETER Threat Prevention layer_uuid={CA414E04-5736-194B-8979-10D42CF1A923} layer_uuid={CA414E04-5736-194B-8979-10D42CF1A923} layer_uuid={CA414E04-5736-194B-8979-10D42CF1A923} layer_uuid={CA414E04-5736-194B-8979-10D42CF1A923} layer_uuid={CA414E04-5736-194B-8979-10D42CF1A923} malware_rule_id={C3D9A814-BCC8-994D-8E3B-0C0A48C7A0F8} malware_rule_id={C3D9A814-BCC8-994D-8E3B-0C0A48C7A0F8} malware_rule_id={C3D9A814-BCC8-994D-8E3B-0C0A48C7A0F8} malware_rule_id={C3D9A814-BCC8-994D-8E3B-0C0A48C7A0F8} malware_rule_id={C3D9A814-BCC8-994D-8E3B-0C0A48C7A0F8} smartdefense_profile=Recommended_Profile smartdefense_profile=Recommended_Profile smartdefense_profile=Recommended_Profile smartdefense_profile=Recommended_Profile smartdefense_profile=Recommended_Profile vendor_list=Check Point ThreatCloud

Re: Malicious DNS queries to DNS server

_Val_ — Thu, 17 Jul 2025 11:20:12 GMT

The log is showing that the DNS request crossing the FW originates from your DNS server.

This is usually the case when you have an infected machine in your internal network that is querying a malicious site or URL. The first DNS request is not crossing the FW, it goes from the infected machine to your internal DNS server, and then the DNS server is relaying that request to the Internet.

Unless you place your FW between your DNS server and your internal network segment, you won't be able to find the offender via the FW logs.

However, you might figure out the offender in the DNS server logs, if you have any.

Re: Malicious DNS queries to DNS server

harshnagar — Thu, 17 Jul 2025 11:55:48 GMT

Thanks for the confirmation will explore DNS server logs.

Re: Malicious DNS queries to DNS server

harshnagar — Fri, 18 Jul 2025 15:24:34 GMT

Hello @_Val_

Thanks for the confirmation will explore DNS server logs also, but i have heard that UTM firewalls queries the blocked URL through the local DNS server configured on them is it true for Checkpoint also, as I have seen some logs in which source IP is also firewall ip.

Re: Malicious DNS queries to DNS server

Lesley — Fri, 18 Jul 2025 18:23:07 GMT

I suspect this feature. DNS trap. If you have no DNS configured yourself it will connect towards DNS server from Check Point with an IP hosted in Israel. Source will be indeed fw

Re: Malicious DNS queries to DNS server

harshnagar — Sat, 19 Jul 2025 11:54:29 GMT

Yes if any local DNS is configured then also the IP will be firewall Ip, so do you know how often does the FW checks these Domains on DNS as we receive multiple events regarding malicious domains queries on DNS server,

Re: Malicious DNS queries to DNS server

_Val_ — Mon, 21 Jul 2025 08:05:53 GMT

Not sure I fully understand your point.

Re: Malicious DNS queries to DNS server

Lloyd_Braun — Mon, 21 Jul 2025 15:21:06 GMT

Check the firewall logs for connection attempts to 62.0.58.94. This is the default DNS trap IP that the firewall will modfiy the DNS response to. As the logs say: "DNS response was replaced with a DNS trap bogus IP. See sk74060 for more information"

As mentioned, you are only seeing the DNS query flagged at the firewall from the DNS servers, without DNS logging, your best bet is to look for the subsequent connection from the actual client to the DNS trap IP, probably HTTP/HTTPS but could be something else from the client to the DNS trap IP.