cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Blocking list of domain names (FQDN) with R80.10

Jump to solution

I want to block a list of domain names (example.com, google.com, customurl1.com, customurl2.com, customurl3.com, and so forth) using Checkpoint Firewall R80.10. This has proven challenging, though. I want to block the domain names from being resolved at the DNS level, even if it has no IP address assigned to it yet.

The two options appear to be to use:

  • Application Control & URL Filtering
  • Block domains using Domain Objects

Is there a clear-cut solution to perform what I am trying to achieve? Documentation has left me feeling unclear. I want to know what the proper approach for doing this is.

1 Solution

Accepted Solutions
Admin
Admin

Re: Blocking list of domain names (FQDN) with R80.10

Jump to solution

It’s a Chicken and Egg problem:

  • The forward DNS (e.g. hostname.example.com > 192.0.2.1) rarely matches the reverse DNS (192.0.2.1 > not.a.valid.name)
  • We don’t know every host in *.example.com
  • Short of looking at the DNS request, there’s no real way to know before a the TCP connection is established whether we are connecting to somehost.example.com. Even then, this is only feasible if the gateway is between your clients and the DNS server.

A clever way to solve this problem might be to use Anti-Bot DNS Trap.
What this will do is replace lookups for the domain with a bogus IP that goes...nowhere.
This assumes Anti-Virus and/or Anti-Bot blades are enabled.
Configure this in the relevant profile:

Capture1.PNG

You can create a CSV file with the relevant domains in it.
Something like:

observ1,somedomain1.com,Domain,,low,AV,Domain_to_block
observ2,somedomain2.com,Domain,,low,AV,Domain_to_block
observ3,somedomain3.com,Domain,,low,AV,Domain_to_block

Upload it as indicators:

Capture2.PNG

Install policy.

8 Replies

Re: Blocking list of domain names (FQDN) with R80.10

Jump to solution

Hi,

The basic way of doing it is like this I believe:

Block Domains.PNG

The only question I think is whether you want to block those very specific domains or their subdomains as well. For the first option you would need to create the domain objects in FQDN mode whereas for the second option you would need to create them in non-FQDN mode. 

See sk120633 and sk90401 for more information and let us know if you are still having difficulties.

I hope this helps.

0 Kudos

Re: Blocking list of domain names (FQDN) with R80.10

Jump to solution

Hi Nick,

Thank you for taking the time to reply to me. I should clarify that I would block non-FQDN domains, blocking up to the first 10 layers of sub-domains. Is it only possible to achieve "blocking a list of domain names" by using Domain Objects, or are there other options available? I worry that it would not be optimal to place hundreds of domain names into a Domain Object.

Is there anyway for me to use Application Control & URL Filtering to achieving blocking a list of domain names instead?

I reviewed sk120633 and sk90401 prior to this, so I am familiar with the documentation; although, I am new to Checkpoint Firewall, so I'm taking things one step at a time.

0 Kudos
Admin
Admin

Re: Blocking list of domain names (FQDN) with R80.10

Jump to solution

It’s a Chicken and Egg problem:

  • The forward DNS (e.g. hostname.example.com > 192.0.2.1) rarely matches the reverse DNS (192.0.2.1 > not.a.valid.name)
  • We don’t know every host in *.example.com
  • Short of looking at the DNS request, there’s no real way to know before a the TCP connection is established whether we are connecting to somehost.example.com. Even then, this is only feasible if the gateway is between your clients and the DNS server.

A clever way to solve this problem might be to use Anti-Bot DNS Trap.
What this will do is replace lookups for the domain with a bogus IP that goes...nowhere.
This assumes Anti-Virus and/or Anti-Bot blades are enabled.
Configure this in the relevant profile:

Capture1.PNG

You can create a CSV file with the relevant domains in it.
Something like:

observ1,somedomain1.com,Domain,,low,AV,Domain_to_block
observ2,somedomain2.com,Domain,,low,AV,Domain_to_block
observ3,somedomain3.com,Domain,,low,AV,Domain_to_block

Upload it as indicators:

Capture2.PNG

Install policy.

Re: Blocking list of domain names (FQDN) with R80.10

Jump to solution

Hi PhoneBoy,

Thank you for your feedback. Someone had mentioned the Anti-Bot DNS Trap solution before, but it didn't seem feasible at the time since all of the documentation and community discussion that I've read has pointed to Domain Objects. Your suggest solution sounds promising.

So, if we enable the Anti-Virus and/or Anti-Bot blades, we can enable Malware DNS Trap Activitation, point the traffic to a bogus IP, and import a list of domain names to block from a CSV? If this actually works, then this sounds perfect.

For the domains that we would like to block, would there be any performance issue if I pointed 10,000+ domain names to bogus IP addresses? What overhead could the DNS Trap solution cause, and why?

If you could answer these questions for me, I'll be very grateful! I'm sure other readers will be grateful as well.

0 Kudos
Admin
Admin

Re: Blocking list of domain names (FQDN) with R80.10

Jump to solution
If you're already using IPS and/or App Control, then the performance impact will be negligible.
If you're doing Firewall only, then yes you will probably notice a performance impact.

One word of caution is that I would break up the domains into several CSVs, maybe around 1,000 entries per file, and publish after uploading each one.
This is more for the management server performance while applying the changes than anything else.
0 Kudos
Highlighted

Re: Blocking list of domain names (FQDN) with R80.10

Jump to solution

PhoneBoy, again, thank you for your useful feedback.

If we are only using a Firewall, will the performance impact be comparable to what it would be if we were to use IPS and/or App Control? An explanation of the performance impact is likely the last thing that I would like to request from the community here; where does the performance impact come from?

Also, to vaguely answer Wolfgang's question, we have a custom list of domain name addresses that we want to block, even if they are not registered yet. I understand that CheckPoint maintains separate lists of threat intel feeds, but our custom list focuses on very specific targeted attacks. The list may not actually be 10,000 domain names, maybe a few thousand, but I thought that I'd be safe and use a larger number.

0 Kudos
Admin
Admin

Re: Blocking list of domain names (FQDN) with R80.10

Jump to solution
Anti-Bot uses the same underlying infrastructure to process the packets as IPS and App Control.
As such, I would expect the performance impact to be similar.
0 Kudos

Re: Blocking list of domain names (FQDN) with R80.10

Jump to solution

Hello PhoneBoy,

We have implemented the first part for the DNS Traps,

But for uploading the Domains is there a specific format for the objects,

We have our blocked domains in a CSV already and already created in the Domain.

Can we use a group? or do we have to re run the CSV and will that cause any issues with the existing domains? Are they dynamic objects or regular host? Because the example given does not look like the regular CSV object we used from the API example.

 

0 Kudos