cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

High Rate of DNS failures with SMTP Gateway

Jump to solution

We have Proofpoint for SMTP protection services. Ever since implementing Checkpoint we've see this error message from Proofpoint:


Reputation Query DNS Error
PPS is encountering a high rate of failures when querying DNS to discover the Proofpoint reputation servers
[2017-09-25 11:12:04.221209 -0400] err src=filter eid=eid.filter.prs.locate mod=dns resolver=prs err="Connection timed out"

Proofpoint can and does query DNS records for all sorts of malicious domains and websites and I do see some messages in the logs about Checkpoint detecting, but allowing malicious DNS requests. 

"Connection was allowed because background classification mode was set. See sk74120 for more information."


But I also see a smattering of 'First packet isn't SYN' drops from Proofpoint to our DNS Server. This out of state stuff to me was always an indication of an upstream drop. 

Anyway, I dont know what to make of it but I cant seem to find a way to exclude Proofpoint for DNS Reputation checks, only individual Protection Names, ie Phishing ddjngz. I kind of need Proofpoint to do its job without Checkpoint interference. We never had this issue on previous Juniper firewalls. 

Any assistance is appreciated. Thanks,

0 Kudos
1 Solution

Accepted Solutions
Admin
Admin

Re: High Rate of DNS failures with SMTP Gateway

Jump to solution

Have you tried adding an Exception for the Proofpoint servers in your Threat Prevention policy?

Something like:

0 Kudos
4 Replies
Admin
Admin

Re: High Rate of DNS failures with SMTP Gateway

Jump to solution

Have you tried adding an Exception for the Proofpoint servers in your Threat Prevention policy?

Something like:

0 Kudos

Re: High Rate of DNS failures with SMTP Gateway

Jump to solution

Thank you. I didnt get how to write exceptions for this but your screen shot led me to the correct solution. I created an exception rule, From my Proofpoints, To my dns servers, service DNS, permit. They have to process all kinds of nasty queries.  Many thanks. 

Justin

Admin
Admin

Re: High Rate of DNS failures with SMTP Gateway

Jump to solution

I'm guessing you probably did something like this then (in Exceptions versus Policy, as I showed above):

If you used "Inactive" instead, I recommend using "Detect" instead.

It will give you additional visibility into what the Proofpoints are seeing (or possibly not seeing).

0 Kudos

Re: High Rate of DNS failures with SMTP Gateway

Jump to solution

That is exactly how I did it except as you suspected, I did the Inactive. I guess I see it as less overhead just to ignore it. Proofpoint is constantly resolving bad hostnames on purpose to check for their reputation. I dont know if I care to see it or have it fill up my logs. 

0 Kudos