Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Copper

large amounts of DNS traffic

after upgrading to r80.10,  I started seeing some interesting traffic reported as DNS.   

from the individual session

we have DNS locked down to only a few approved servers.   We have IPS rule in place to look for DNS tunneling.

Any thoughts?

thanks  

0 Kudos
7 Replies
Highlighted
Pearl

Re: large amounts of DNS traffic

DNS is often used as the channel for updates (legitimate) as well as data exfiltration (malicious).

Can you tell me which DNS servers you have approved the egress traffic to? 

0 Kudos
Highlighted
Copper

Re: large amounts of DNS traffic

our windows domain controllers

0 Kudos
Highlighted
Pearl

Re: large amounts of DNS traffic

But are your Windows DCs are configured as Recursive DNS servers to allow upstream lookups?

If yes, and there are no rules in the firewalls preventing their egress traffic on port 53, than essentially they are acting as DNS proxies forwarding all requests for non-cached entries further upstream.

0 Kudos
Highlighted
Copper

Re: large amounts of DNS traffic

They are and I agree with you.  10's to 100's mg of DNS traffic seems very odd. 

0 Kudos
Highlighted
Pearl

Re: large amounts of DNS traffic

Since I know nothing about your infrastructure, it is hard for me to make accurate suggestions, but if you are concerned with your DNS traffic and would like to have more visibility into it, you may consider one of the following options:

1. Enable Name Resolution, if not yet enabled, for the logs to get better granular visibility in traffic-to-destination.

2. If your AntiBot blade is not yet enabled, please do so, as it will reduce the possibility of C&C traffic.

3. This one I cannot recommend, as I vaguely recall reading about unexpected bad consequences of designating DCs as Internal DNS Servers, but the option is there and I would welcome the input from Check Point and community as to its current state:

DNS Malware trap 

Another thing you may consider doing is subscribing to a third-party DNS filtering service, such as OpenDNS and designating their servers for your upstream lookups.

0 Kudos
Highlighted
Admin
Admin

Re: large amounts of DNS traffic

just make sure that DNS traffic is not generated by R80.10 itself 🙂 Smartlog might do that, trying to resolve all IPs in the logs

0 Kudos
Highlighted
Copper

Re: large amounts of DNS traffic

Issue resolved.   PEP tables where corrupt.

ran command:  # fw tab -t pep_networks_to_pdp_db -t pep_net_reg -t pep_reported_network_masks_db -x -y

before running the command we were seeing 2 million DNS records an hour (below)

thanks everyone for your responses. 

0 Kudos