topic Re: DNS Implied rule in General Topics

DNS Implied rule

EitanNeuman — Sun, 30 Jul 2023 10:21:35 GMT

Hi,

I wanted to ask about the DNS Implied rule in the CP Gateway (UDP/53).

Since in my organization, we are using both the implied rule and manual DNS rule (where needed) with TCP/53 port I would like to know the follows:

Is there a way for a hacker, from inside or the outside, to use the DNS implied rule of the CP to perform any kind of an attack, which can happened under are noses?
Since Implied rules are not changeable, what is the best practice to work with the specific DNS Implied rule, to achieve – maximum security?
If I would like to Block the use of the DNS Implied rule of the Gateway, from one subnet to another or to Any, how should I do it the best way?

Re: DNS Implied rule

_Val_ — Wed, 02 Aug 2023 14:42:44 GMT

Let's start with the main question. Can hackers use DNS? the answer is yes. We just had a TechTalk about DNS security, you can watch it here: https://community.checkpoint.com/t5/General-Topics/Hacking-DNS-TechTalk-Video-Slides-and-Q-amp-A/m-p/187736/highlight/true#M31438

Now, you can also adjust and log implied rules. DNS is NOT enabled through the implied rules by default.

You can also create explicit rules to control your DNS traffic. Lastly, with Threat prevention, you can put additional protections over DNS traffic, regardless of how you configure your rules, implied or explicit.

Re: DNS Implied rule

the_rock — Thu, 03 Aug 2023 01:36:34 GMT

I think what Val gave you sums it all up pretty well. I would certainly watch DNS hacking presentation by Ralph, it was fantastic.

Andy