- CheckMates
- :
- Products
- :
- General Topics
- :
- Hacking DNS TechTalk: Video, Slides, and Q&A
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jump to solution
Hacking DNS TechTalk: Video, Slides, and Q&A
Slides attached below.
Q&A appears below the video.
Hacking DNS TechTalk July 2023
Video Player is loading.
Current Time 0:00
/
Duration 0:00
Loaded: 0%
0:00
Stream Type LIVE
Remaining Time -0:00
1x
- Chapters
- descriptions off, selected
- captions settings, opens captions settings dialog
- captions off, selected
This is a modal window.
Beginning of dialog window. Escape will cancel and close the window.
End of dialog window.
This is a modal window. This modal can be closed by pressing the Escape key or activating the close button.
Do you have a recent statistics what's the percentage of secure DNS requests (TCP/853, HTTPS etc.) in total name resolver traffic nowadays?
Roughly 5%.
How many Root Servers all over the world and how sync is done among them?
There are 13 root servers. More details here.
Is PTR the same as reverse lookup?
Yes, PTR records are IP to name mappings.
What book is Ralph recommending?
DNS and Bind (5th Edition) by Cricket Liu and Paul Albitz. It's available on Amazon (among other places): https://www.amazon.com/DNS-BIND-5th-Cricket-Liu/dp/0596100574/ref=sr_1_1?crid=3FWUOTXHYDAO&keywords=...
What kind of adoption are you seeing DNSSEC getting?
According to the public source, it is not growing fast, currently roughly at about 5% usage.
What is the best practice for the TTL?
Unless the IP address for the record changes regularly (i.e. dynamic IP), the TTL should not be short. A short TTL will increase load on your DNS servers.
How do Check Point customers detect/prevent DNS tunneling attacks?
Use our Threat Prevention blades. Specifically:
- IPS: preventing known attacks trying to utilize known vulnerabilities on DNS infrastructure
- Anti-Virus: preventing download of malicious files
- Anti-Bot: preventing access to known malicious sites and verifying traffic behavior
- DNS requests are verified against ThreatCloud. In case of being malicious, the request is answered with the DNS Trap IP address as response (see sk74060 and Threat Prevention Administration Guide R81.10 for details). For DNS Tunneling protection, see sk178487.
- Protocol Parsers (Inspection Settings): making sure protocols respect defined standards
Can Check Point ingest external threat feeds?
We have various methods to ingest threat feeds, yes (ioc_feeds using AV/AB in R80.x, Network Feeds in R81.20+). If you are ingesting threat feeds (regardless of mechanism), it is HIGHLY recommended to upgrade to R81.20 since it is able to support substantially more indicators.
Can you explain the deep learning part - how does it does this?
Out of scope for this session, but we intend to cover it in the future.
1 Solution
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are correct. I did not realize this and if you watch the rest of the presentation you will hear this get mentioned in the Q&A at the end so I have a chance to correct that mistake….
--
Hubert (Ralph) Bonnell
Security Engineer
Check Point Software Technologies Inc.
Covering United States: Washington Oregon Idaho Alaska
Hubert (Ralph) Bonnell
Security Engineer
Check Point Software Technologies Inc.
Covering United States: Washington Oregon Idaho Alaska
10 Replies
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Missed the presentation, will watch it later on, but for anyone who cares to watch...here is in my opinion, the BEST video on the Internet about DNS. This youtube channel is gold...guy explains things like a pro.
Andy
- Tags:
- dns
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for sharing! this certainly does a great job of clearly describing the DNS process!
--
Hubert (Ralph) Bonnell
Security Engineer
Check Point Software Technologies Inc.
Covering United States: Washington Oregon Idaho Alaska
Hubert (Ralph) Bonnell
Security Engineer
Check Point Software Technologies Inc.
Covering United States: Washington Oregon Idaho Alaska
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By far, the best explanation out there, in my view.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ralph is being too nice. This is DNS for dummies video, which is useful, but also very basic 🙂
@the_rock what the TechTalk, Ralph did a great job taking it to the actual expert level.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes! Watched it already, fantastic work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nice to see you here.😀
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Buddyyyy, Im always here HAHAHAHA...hope ur well!!
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I enjoyed the presentation. But at the end, there is dangerous misinformation spread. TCP Port 53 is NOT only used for zone transfers. This is plainly wrong. Any DNS Resolver can move to TCP if the response is too large for a single UDP packet. This happened e.G. when Google started using more IPv6 on their authoritative DNS Servers...
ALWAYS allow both TCP and UDP Port 53 for your clients towards the resolvers.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess answer depends on who you ask, but you make a good point.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are correct. I did not realize this and if you watch the rest of the presentation you will hear this get mentioned in the Q&A at the end so I have a chance to correct that mistake….
--
Hubert (Ralph) Bonnell
Security Engineer
Check Point Software Technologies Inc.
Covering United States: Washington Oregon Idaho Alaska
Hubert (Ralph) Bonnell
Security Engineer
Check Point Software Technologies Inc.
Covering United States: Washington Oregon Idaho Alaska
Hacking DNS TechTalk: Video, Slides, and Q&A
Slides attached below.
Q&A appears below the video.
Hacking DNS TechTalk July 2023
Video Player is loading.
Current Time 0:00
/
Duration 0:00
Loaded: 0%
0:00
Stream Type LIVE
Remaining Time -0:00
1x
- Chapters
- descriptions off, selected
- captions settings, opens captions settings dialog
- captions off, selected
This is a modal window.
Beginning of dialog window. Escape will cancel and close the window.
End of dialog window.
This is a modal window. This modal can be closed by pressing the Escape key or activating the close button.
Do you have a recent statistics what's the percentage of secure DNS requests (TCP/853, HTTPS etc.) in total name resolver traffic nowadays?
Roughly 5%.
How many Root Servers all over the world and how sync is done among them?
There are 13 root servers. More details here.
Is PTR the same as reverse lookup?
Yes, PTR records are IP to name mappings.
What book is Ralph recommending?
DNS and Bind (5th Edition) by Cricket Liu and Paul Albitz. It's available on Amazon (among other places): https://www.amazon.com/DNS-BIND-5th-Cricket-Liu/dp/0596100574/ref=sr_1_1?crid=3FWUOTXHYDAO&keywords=dns+and+bind&qid=1690383797&sprefix=dns+and+bind%2Caps%2C108&sr=8-1
What kind of adoption are you seeing DNSSEC getting?
According to the public source, it is not growing fast, currently roughly at about 5% usage.
What is the best practice for the TTL?
Unless the IP address for the record changes regularly (i.e. dynamic IP), the TTL should not be short. A short TTL will increase load on your DNS servers.
How do Check Point customers detect/prevent DNS tunneling attacks?
Use our T
...
