topic Re: large amounts of DNS traffic in General Topics

large amounts of DNS traffic

Neil_ZInk — Mon, 06 Nov 2017 22:14:36 GMT

after upgrading to r80.10, I started seeing some interesting traffic reported as DNS.

from the individual session

we have DNS locked down to only a few approved servers. We have IPS rule in place to look for DNS tunneling.

Any thoughts?

thanks

Re: large amounts of DNS traffic

Vladimir — Tue, 07 Nov 2017 01:12:47 GMT

DNS is often used as the channel for updates (legitimate) as well as data exfiltration (malicious).

Can you tell me which DNS servers you have approved the egress traffic to?

Re: large amounts of DNS traffic

Neil_ZInk — Tue, 07 Nov 2017 03:47:11 GMT

our windows domain controllers

Re: large amounts of DNS traffic

Vladimir — Tue, 07 Nov 2017 13:33:04 GMT

But are your Windows DCs are configured as Recursive DNS servers to allow upstream lookups?

If yes, and there are no rules in the firewalls preventing their egress traffic on port 53, than essentially they are acting as DNS proxies forwarding all requests for non-cached entries further upstream.

Re: large amounts of DNS traffic

Neil_ZInk — Tue, 07 Nov 2017 13:36:44 GMT

They are and I agree with you. 10's to 100's mg of DNS traffic seems very odd.

Re: large amounts of DNS traffic

Vladimir — Tue, 07 Nov 2017 14:13:11 GMT

Since I know nothing about your infrastructure, it is hard for me to make accurate suggestions, but if you are concerned with your DNS traffic and would like to have more visibility into it, you may consider one of the following options:

1. Enable Name Resolution, if not yet enabled, for the logs to get better granular visibility in traffic-to-destination.

2. If your AntiBot blade is not yet enabled, please do so, as it will reduce the possibility of C&C traffic.

3. This one I cannot recommend, as I vaguely recall reading about unexpected bad consequences of designating DCs as Internal DNS Servers, but the option is there and I would welcome the input from Check Point and community as to its current state:

Another thing you may consider doing is subscribing to a third-party DNS filtering service, such as OpenDNS and designating their servers for your upstream lookups.

Re: large amounts of DNS traffic

_Val_ — Tue, 07 Nov 2017 14:57:23 GMT

just make sure that DNS traffic is not generated by R80.10 itself 🙂 Smartlog might do that, trying to resolve all IPs in the logs

Re: large amounts of DNS traffic

Neil_ZInk — Mon, 13 Nov 2017 14:14:05 GMT

Issue resolved. PEP tables where corrupt.

ran command: # fw tab -t pep_networks_to_pdp_db -t pep_net_reg -t pep_reported_network_masks_db -x -y

before running the command we were seeing 2 million DNS records an hour (below)

thanks everyone for your responses.

Re: large amounts of DNS traffic

Kirupa_Shankar_ — Wed, 04 Oct 2023 00:02:59 GMT

What is the correlation between pep and dns queries?