This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Shahar_Grober
Advisor
‎2018-08-28 05:01 AM

URL Filtering using DNS

I had an interesting discussion about performing URL filtering using DNS only instead of URLs which allows faster resolving and will allow controlling of remote offices internet traffic without deploying URL Filtering on remote gateways or force redirection of internet traffic through the corporate gateway. This means that all DNS requests from remote offices are inspected by the gateway and allowed/blocked based on the DNS resolving. I know that the Anti-bot uses DNS for malicious website and also according to the "the R80.x Security Gateway Architecture (Content Inspection)" the RAD is using DNS as well but I am wandering if the URL filtering can be done based on the DNS request of the remote hosts or the http/https connection has to be opened and pass through the gateway.

This is similar to OpenDNS solution for Web Content filtering Web Content Filtering and Security – OpenDNS

Any insights are welcome. 

11 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-08-28 05:06 AM

i would suggest sk92743 ATRG: URL Filtering for technical details.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Shahar_Grober
Advisor
‎2018-08-28 05:14 AM
In response to G_W_Albrecht

I already looked at it. There is no mention to use of DNS by URLF or RAD

L Filtering Categorization Flow

although the "R80.x Security Gateway Architecture (Content Inspection)" says that there is use of DNS with RAD

It would be nice to know if Check Point can support the scenario in my original question or not 

G_W_Albrecht
MVP Silver
MVP Silver
‎2018-08-28 06:15 AM

I do not think that this is possible - URLF checks the URL in the internal database first and, if niot successfull, sends a request to online detection service. So, no DNS is contacted here before the URL categorization is finished. The OpenDNS solution rather is a competitor to CP URLF with very a small set of features.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Shahar_Grober
Advisor
‎2018-08-28 06:23 AM

Thanks for the information Gunthar, 

No argue that CP can provide better functionality than OpenDNS. I was just wandering if Check Point can provide similar functionality giving the fact that the infrastructure already exist with Anti-bot to block malicious DNS requests

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-08-28 07:12 AM
In response to Shahar_Grober

CP is using very similar functionality, but does not disguise itself as DNS server 😉 Did you read sk31727 and sk35484 already ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Shahar_Grober
Advisor
‎2018-08-28 07:44 AM
In response to G_W_Albrecht

This is good information. bottom line is that Check Point products do not implement DNS server functionality and therefore cannot perform URL filtering based on DNS requests. 

0 Kudos
PhoneBoy
Admin
Admin
‎2018-08-28 08:03 AM

DNS doesn't factor into URL filtering at all.

The main problem with using DNS as I see it is that a number of sites could use the same IP address.

You may allow access to some sites on the same IP, but block others.

Also I could access a given IP without doing a DNS lookup (e.g. Because of caching, poisoned or otherwise).

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-08-29 12:31 AM
In response to PhoneBoy

Let me put it like this: With OpenDNS, you use the DNS lookup for performing URLF. With CP URLF, no DNS request will be made at all if the URL is blocked.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Shahar_Grober
Advisor
‎2018-08-30 01:13 AM
In response to G_W_Albrecht

Deamon and Gunther,

Thanks for the answers. I agree that using URLF is the best possible solution. I am trying to figure out what is the best solution if I can't route end users traffic through the gateway. I am thinking about Endpoint security with URLF blade will be a suitable replacement but it is not deployed at the moment. what do you think?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-08-30 08:37 AM
In response to Shahar_Grober

Either Endpoint URLF or Capsule Cloud would be reasonable in these cases.

Both would work regardless of where the end users are.

Ranokarno_Ranok
Participant
‎2018-12-13 01:03 AM

I agree with Shahar Grober
it will be better if Checkpoint can perform dns filtering instead of relying on 3rd party appliances such as infoblox or other dns firewall outside.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events