Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

DNS Passive Learning Design Question

In regards to the new R80.40 feature, DNS Passive Learning, I'm curious if all DNS requests can be watched or only certain ones.  sk161612 talks about using the same resolver as the gateway or configuring a setting in an object to mark it as a DNS server, but in this scenario, the firewall sees the needed DNS requests, just FROM the DNS servers making the recursive request to the internet.  It does NOT see the request between the client and the DNS server.  I don't know what recursive servers are on the internet, so I can't create objects there.  Can the gateway watch the DNS between the DNS server AND the internet?

 

Annotation 2020-03-04 213858.jpg

0 Kudos
4 Replies
Highlighted
Admin
Admin

Re: DNS Passive Learning Design Question

Only the requests to known DNS servers can be watched.
The reason for this is that DNS requests could traverse the gateway that are going to malicious DNS servers.
We assume the gateway is using a "trusted" DNS server.
Any other DNS server defined as described in sk161612 is considered trusted.
FYI, the list and IPs of the root name servers is well known and published: https://www.iana.org/domains/root/servers
What your internal DNS server is using is a different matter, and I assume whoever manages your DNS server can tell you that.
0 Kudos
Highlighted

Re: DNS Passive Learning Design Question

What about requests FROM known DNS servers?  Can those be watched?

0 Kudos
Highlighted

Re: DNS Passive Learning Design Question

Hi @Brian_Deutmeyer 

DNS Passive Learning is a mechanism for constructing an IP / domain cache in which DNS traffic will be inspected and parsed for these purposes. This only works for defined DNS servers in an FW object. In this case the DNS answers are written to the FW DNS cache. It does not work for undefined DNS servers.

DNS Passive Learning is enabled by default in R80.40.

Tags (1)
0 Kudos
Highlighted
Admin
Admin

Re: DNS Passive Learning Design Question

No, the mechanism will only trust DNS information received from known DNS servers, regardless of who is making the query (a client or a DNS server).
0 Kudos