topic Re: DNS trap in General Topics

DNS trap

Qiuyao — Thu, 29 Jun 2023 03:36:58 GMT

Hello support,

Why is the default address of DNS trap 62.0.58.94 and not something else, what is the significance of this choice? When DNS trap is triggered, does DNS traffic go to 62.0.58.94? Or did he simply replace the destination DNS address with 62.0.58.94

Best Regards,

Qiuyao Dai

Re: DNS trap

PhoneBoy — Thu, 29 Jun 2023 16:37:56 GMT

The significance of the choice is simple: Check Point owns this IP address.
You can verify this through WHOIS records.

When we detect a DNS lookup for a domain that is malicious, we replace the results of that query with the configured IP DNS Trap address.
The idea being: instead of connecting to the malicious host, the client will connect to the DNS Trap address, which should ultimately be harmless to the end user.

To the best of my knowledge, there is no host assigned to 62.0.58.94.
Which means all traffic sent to this IP will fail and result in no harm to and end user.

Re: DNS trap

Chris_Atkinson — Fri, 30 Jun 2023 00:49:09 GMT

For more info please refer:

sk74060: Anti-Virus Malware DNS Trap feature

Re: DNS trap

Emil_T — Mon, 09 Sep 2024 18:37:09 GMT

Should I allow traffic to the bogus trap IP in security policy rule?

Re: DNS trap

PhoneBoy — Mon, 09 Sep 2024 20:14:57 GMT

Don't believe it is necessary.