Re: DNS Passive Learning Design Question

Brian_Deutmeyer · ‎2020-03-04

In regards to the new R80.40 feature, DNS Passive Learning, I'm curious if all DNS requests can be watched or only certain ones. sk161612 talks about using the same resolver as the gateway or configuring a setting in an object to mark it as a DNS server, but in this scenario, the firewall sees the needed DNS requests, just FROM the DNS servers making the recursive request to the internet. It does NOT see the request between the client and the DNS server. I don't know what recursive servers are on the internet, so I can't create objects there. Can the gateway watch the DNS between the DNS server AND the internet?

PhoneBoy · ‎2020-03-07

Only the requests to known DNS servers can be watched.
The reason for this is that DNS requests could traverse the gateway that are going to malicious DNS servers.
We assume the gateway is using a "trusted" DNS server.
Any other DNS server defined as described in sk161612 is considered trusted.
FYI, the list and IPs of the root name servers is well known and published: https://www.iana.org/domains/root/servers
What your internal DNS server is using is a different matter, and I assume whoever manages your DNS server can tell you that.

Brian_Deutmeyer · ‎2020-03-07

What about requests FROM known DNS servers? Can those be watched?

HeikoAnkenbrand · ‎2020-03-08

Hi @Brian_Deutmeyer

DNS Passive Learning is a mechanism for constructing an IP / domain cache in which DNS traffic will be inspected and parsed for these purposes. This only works for defined DNS servers in an FW object. In this case the DNS answers are written to the FW DNS cache. It does not work for undefined DNS servers.

DNS Passive Learning is enabled by default in R80.40.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

PhoneBoy · ‎2020-03-08

No, the mechanism will only trust DNS information received from known DNS servers, regardless of who is making the query (a client or a DNS server).

Rob_Bush · ‎2020-06-18

Forgive me for asking, but what exactly is DNS Passive Learning from Checkpoint? I've been trying to do some searches both on the forums here, the Checkpoint KB's and the Internet as a whole and I'm getting glimpses of what it's supposed to do, but nothing is completely clear about what it provides? All of my DNS servers are marked as DNS servers on my firewalls as described, so I presume my gateways are using this DNS Passive Learning, but I don't know exactly what that means?

Brian_Deutmeyer · ‎2020-06-18

Disclaimer: I don't have this setup as I'm waiting for an additional feature.

Check out sk161612 for more information.

This feature allows you to specify a domain (and the subdomains) to allow access to. Let's say a source needs access to *.something.biz and there isn't' a relevant application. You can try to write you own application, but often, that might not be feasible (think non-web encrypted traffic). The gateway can watch the DNS requests looking for anything that matches something.biz and store the corresponding IPs in its cache. This way when the rule in question is evaluated, the gateway can check the cache and allow/deny access.

A domain object won't work here because reverse DNS doesn't exist or doesn't match the site.

An FQDN domain object won't work here because you don't know all the FQDNs that will be called.

Make sense?

PhoneBoy · ‎2020-06-18

But, for this feature to work, queries to those trusted DNS servers must traverse the gateway.
Otherwise, we can't "learn" about these mappings passively.

shasenst · ‎2020-08-29

Hello,

I have two questions regarding DNS passive learning:

1) will the DNS-entries, which are learned by DNS passive learning, be replicatet to the standby-member in an Cluster-environment (active/passive)

2) how can I querry the list which is learned by DNS passive learning. Can it be done with the "domains_tool"?

Thank you in advance

Best regards

Sascha

Brian_Deutmeyer · ‎2021-01-07

@shasenst

1. I'm not 100% sure, but checking it out on a cluster, I see some entries replicated for a domain, but not all. So I'm not sure if there is a time period before a sync or what.

2. domains_tool -d <domain> || domains_tool -ip <ip_addr>

One more side note on something I discovered. If you are watching the recursive traffic from a local DNS server to the authoritative name server and the request type is CNAME (not A), the firewall will not populate the entry since the response isn't an IP address and passive learning doesn't watch the chain. If the firewall is watching client to DNS server communications, this is NOT an issue since the DNS server will respond with the full chain (CNAME + A).

faridb · ‎2023-11-22

Hello PhoneBoy,

it's been a while ( Since R55 ) lol

Can you clarify , but i believe so , if the customer has an internal DNS server behind the GW that is authoritative , so no forwarding nor relay to an external specific DNS server ( SP DNS for instance ) , it will not work right ?

as we need to declare the external DNS server to which requests will be monitored ...

i assume we need to declare a non-FQDN domain object as well , right ?

thanks ,

Farid

PhoneBoy · ‎2023-11-23

For DNS Passive Learning to work, the Security Gateway must be in the path to actually see the DNS Requests and the “trusted” DNS servers must be explicitly configured (either using the same DNS as configured in on the gateway OR explicitly configured DNS Server objects).
In the environment you’ve described, additional configuration will be required to make this work.

faridb · ‎2023-11-23

thank you , i understand ...and this needs to be clarified with the customer for my particular use case.

can you confirm that it will enhance the situation where non-fqdn domain are used and in the case where no reverse dns entries exists in DNS ?

PhoneBoy · ‎2023-11-28

Not sure if this will work with non-FQDN.

Are you a member of CheckMates?

DNS Passive Learning Design Question