This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Neil_ZInk
Collaborator
‎2017-11-06 02:14 PM

large amounts of DNS traffic

after upgrading to r80.10,  I started seeing some interesting traffic reported as DNS.   

from the individual session

we have DNS locked down to only a few approved servers.   We have IPS rule in place to look for DNS tunneling.

Any thoughts?

thanks  

0 Kudos
8 Replies
Vladimir
Champion
Champion
‎2017-11-06 05:12 PM

DNS is often used as the channel for updates (legitimate) as well as data exfiltration (malicious).

Can you tell me which DNS servers you have approved the egress traffic to? 

0 Kudos
Neil_ZInk
Collaborator
‎2017-11-06 07:47 PM
In response to Vladimir

our windows domain controllers

0 Kudos
Vladimir
Champion
Champion
‎2017-11-07 05:33 AM
In response to Neil_ZInk

But are your Windows DCs are configured as Recursive DNS servers to allow upstream lookups?

If yes, and there are no rules in the firewalls preventing their egress traffic on port 53, than essentially they are acting as DNS proxies forwarding all requests for non-cached entries further upstream.

0 Kudos
Neil_ZInk
Collaborator
‎2017-11-07 05:36 AM
In response to Vladimir

They are and I agree with you.  10's to 100's mg of DNS traffic seems very odd. 

0 Kudos
Vladimir
Champion
Champion
‎2017-11-07 06:13 AM
In response to Neil_ZInk

Since I know nothing about your infrastructure, it is hard for me to make accurate suggestions, but if you are concerned with your DNS traffic and would like to have more visibility into it, you may consider one of the following options:

1. Enable Name Resolution, if not yet enabled, for the logs to get better granular visibility in traffic-to-destination.

2. If your AntiBot blade is not yet enabled, please do so, as it will reduce the possibility of C&C traffic.

3. This one I cannot recommend, as I vaguely recall reading about unexpected bad consequences of designating DCs as Internal DNS Servers, but the option is there and I would welcome the input from Check Point and community as to its current state:

DNS Malware trap 

Another thing you may consider doing is subscribing to a third-party DNS filtering service, such as OpenDNS and designating their servers for your upstream lookups.

0 Kudos
_Val_
Admin
Admin
‎2017-11-07 06:57 AM

just make sure that DNS traffic is not generated by R80.10 itself 🙂 Smartlog might do that, trying to resolve all IPs in the logs

0 Kudos
Neil_ZInk
Collaborator
‎2017-11-13 06:14 AM

Issue resolved.   PEP tables where corrupt.

ran command:  # fw tab -t pep_networks_to_pdp_db -t pep_net_reg -t pep_reported_network_masks_db -x -y

before running the command we were seeing 2 million DNS records an hour (below)

thanks everyone for your responses. 

0 Kudos
Kirupa_Shankar_
Explorer
‎2023-10-03 05:02 PM
In response to Neil_ZInk

What is the correlation between pep and dns queries? 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events