This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
harshnagar
Explorer
‎2025-07-17 03:34 AM
Jump to solution

Malicious DNS queries to DNS server

Hello Team,

Recently we have integrated Checkpoint Firewall with our Qradar SIEM for SOC Monitoring Prospective. So during our SIEM Monitoring we noticed that we are getting events related to DNS queries made to Malicious Domains to our DNS server, but we are not able to track the origin of this request from which machine the DNS queries are made below is the sample Payload for your reference:

src/scope ip = 172.18.134.166 (DNS Server)

origin = 172.18.135.128 (Firewall IP)

 

LEEF:2.0|Check Point|New Anti Virus|1.0|Prevent|devTime=1752364685 srcPort=51511 srcBytes=75096 dstBytes=69916 url=dwell-exclaim.biz dwell-exclaim.biz dwell-exclaim.biz dwell-exclaim.biz dwell-exclaim.biz signature=Generic.TC.893cvpFR malware=Generic policyName=MB-PERIMETER cat=New Anti Virus sev=5 action=Prevent ifdir=outbound ifname=eth1 loguid={0x220fc418,0x8fd522ad,0xcaa1cce8,0xc9cc5a22} origin=172.18.135.128 originsicname=CN\=MB-PERIMETER-FW-2,O\=MIN-Test-MGMT..x2yup5 sequencenum=5 version=5 confidence_level=5 description=DNS response was replaced with a DNS trap bogus IP. See sk74060 for more information. dns_message_type=Query dst=37.209.192.13 lastupdatetime=1752366010 log_id=2 malware_action=DNS query for a site known to contain malware malware_rule_id={C3D9A814-BCC8-994D-8E3B-0C0A48C7A0F8} policy_time=1752262987 protection_id=00453B448 protection_type=DNS reputation proto=17 question_rdata=A:www.dwell-exclaim.biz scope=172.18.134.166 service=53 session_id={0x6872f68d,0x22,0x7290a0f1,0xe06837e8} smartdefense_profile=Recommended_Profile src=172.18.134.166 suppressed_logs=278 tid=8142 layer_name=PM-PERIMETER Threat Prevention layer_name=PB-PERIMETER Threat Prevention layer_name=PB-PERIMETER Threat Prevention layer_name=PB-PERIMETER Threat Prevention layer_name=PB-PERIMETER Threat Prevention layer_uuid={CA414E04-5736-194B-8979-10D42CF1A923} layer_uuid={CA414E04-5736-194B-8979-10D42CF1A923} layer_uuid={CA414E04-5736-194B-8979-10D42CF1A923} layer_uuid={CA414E04-5736-194B-8979-10D42CF1A923} layer_uuid={CA414E04-5736-194B-8979-10D42CF1A923} malware_rule_id={C3D9A814-BCC8-994D-8E3B-0C0A48C7A0F8} malware_rule_id={C3D9A814-BCC8-994D-8E3B-0C0A48C7A0F8} malware_rule_id={C3D9A814-BCC8-994D-8E3B-0C0A48C7A0F8} malware_rule_id={C3D9A814-BCC8-994D-8E3B-0C0A48C7A0F8} malware_rule_id={C3D9A814-BCC8-994D-8E3B-0C0A48C7A0F8} smartdefense_profile=Recommended_Profile smartdefense_profile=Recommended_Profile smartdefense_profile=Recommended_Profile smartdefense_profile=Recommended_Profile smartdefense_profile=Recommended_Profile vendor_list=Check Point ThreatCloud

0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2025-07-17 04:20 AM
Jump to solution

The log is showing that the DNS request crossing the FW originates from your DNS server. 

This is usually the case when you have an infected machine in your internal network that is querying a malicious site or URL. The first DNS request is not crossing the FW, it goes from the infected machine to your internal DNS server, and then the DNS server is relaying that request to the Internet.

Unless you place your FW between your DNS server and your internal network segment, you won't be able to find the offender via the FW logs.

However, you might figure out the offender in the DNS server logs, if you have any.

View solution in original post

0 Kudos
(1)
7 Replies
_Val_
Admin
Admin
‎2025-07-17 04:20 AM
Jump to solution

The log is showing that the DNS request crossing the FW originates from your DNS server. 

This is usually the case when you have an infected machine in your internal network that is querying a malicious site or URL. The first DNS request is not crossing the FW, it goes from the infected machine to your internal DNS server, and then the DNS server is relaying that request to the Internet.

Unless you place your FW between your DNS server and your internal network segment, you won't be able to find the offender via the FW logs.

However, you might figure out the offender in the DNS server logs, if you have any.

0 Kudos
(1)
harshnagar
Explorer
‎2025-07-17 04:55 AM
In response to _Val_
Jump to solution

Thanks for the confirmation will explore DNS server logs.

harshnagar
Explorer
‎2025-07-18 08:24 AM
In response to _Val_
Jump to solution

Hello @_Val_ 

Thanks for the confirmation will explore DNS server logs also, but i have heard that UTM firewalls queries the blocked URL through the local DNS server configured on them is it true for Checkpoint also, as I have seen some logs in which source IP is also firewall ip.

 

 

0 Kudos
Lesley
Authority Authority
Authority
‎2025-07-18 11:23 AM
In response to harshnagar
Jump to solution

I suspect this feature. DNS trap. If you have no DNS configured yourself it will connect towards DNS server from Check Point with an IP hosted in Israel. Source will be indeed fw

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
(1)
harshnagar
Explorer
‎2025-07-19 04:54 AM
In response to Lesley
Jump to solution

Yes if any local DNS is configured then also the IP will be firewall Ip, so do you know how often does the FW checks these Domains on DNS as we receive multiple events regarding malicious domains queries on DNS server,

0 Kudos
_Val_
Admin
Admin
‎2025-07-21 01:05 AM
In response to harshnagar
Jump to solution

Not sure I fully understand your point. 

0 Kudos
Lloyd_Braun
Advisor
‎2025-07-21 08:21 AM
Jump to solution

Check the firewall logs for connection attempts to 62.0.58.94. This is the default DNS trap IP that the firewall will modfiy the DNS response to. As the logs say: "DNS response was replaced with a DNS trap bogus IP. See sk74060 for more information" 

 

As mentioned, you are only seeing the DNS query flagged at the firewall from the DNS servers, without DNS logging, your best bet is to look for the subsequent connection from the actual client to the DNS trap IP, probably HTTP/HTTPS but could be something else from the client to the DNS trap IP. 

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events