Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Neil_ZInk
Collaborator

large amounts of DNS traffic

after upgrading to r80.10,  I started seeing some interesting traffic reported as DNS.   

from the individual session

we have DNS locked down to only a few approved servers.   We have IPS rule in place to look for DNS tunneling.

Any thoughts?

thanks  

0 Kudos
8 Replies
Vladimir
Champion
Champion

DNS is often used as the channel for updates (legitimate) as well as data exfiltration (malicious).

Can you tell me which DNS servers you have approved the egress traffic to? 

0 Kudos
Neil_ZInk
Collaborator

our windows domain controllers

0 Kudos
Vladimir
Champion
Champion

But are your Windows DCs are configured as Recursive DNS servers to allow upstream lookups?

If yes, and there are no rules in the firewalls preventing their egress traffic on port 53, than essentially they are acting as DNS proxies forwarding all requests for non-cached entries further upstream.

0 Kudos
Neil_ZInk
Collaborator

They are and I agree with you.  10's to 100's mg of DNS traffic seems very odd. 

0 Kudos
Vladimir
Champion
Champion

Since I know nothing about your infrastructure, it is hard for me to make accurate suggestions, but if you are concerned with your DNS traffic and would like to have more visibility into it, you may consider one of the following options:

1. Enable Name Resolution, if not yet enabled, for the logs to get better granular visibility in traffic-to-destination.

2. If your AntiBot blade is not yet enabled, please do so, as it will reduce the possibility of C&C traffic.

3. This one I cannot recommend, as I vaguely recall reading about unexpected bad consequences of designating DCs as Internal DNS Servers, but the option is there and I would welcome the input from Check Point and community as to its current state:

DNS Malware trap 

Another thing you may consider doing is subscribing to a third-party DNS filtering service, such as OpenDNS and designating their servers for your upstream lookups.

0 Kudos
_Val_
Admin
Admin

just make sure that DNS traffic is not generated by R80.10 itself 🙂 Smartlog might do that, trying to resolve all IPs in the logs

0 Kudos
Neil_ZInk
Collaborator

Issue resolved.   PEP tables where corrupt.

ran command:  # fw tab -t pep_networks_to_pdp_db -t pep_net_reg -t pep_reported_network_masks_db -x -y

before running the command we were seeing 2 million DNS records an hour (below)

thanks everyone for your responses. 

0 Kudos
Kirupa_Shankar_
Explorer

What is the correlation between pep and dns queries? 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events