Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

DNS Trap prevent after Activation Anti-Bot

Hi together,

 

since I activated on CP SGW's (R80.10/R80.20 and R80.30) members Anti-Bot I have trouble with DNS requests.

Time to time User cann't get access to Internet, because Anti-Bot Prevent from

SRC: Internal User 

DST: Internal DNS Server (10.1.1.67)

with protection Details:

dns-trap-blocked.JPG

 

Mgmt Server R80.30. This issue occurs only to DNS IP: 10.1.1.67. 

By activation Anti-Bot (on Cluster Member ) we add following IP (10.1.1.67) - yellow marked:

Unbenannt.JPG

What's the reason about it  - 

1.) DNS Trap with prevent to internal DNS (needed !)  ?

2.) In Detail Log u can see under Forensics Details:   d2cb5ad7002c4066.huaweisafedns.com    ?

0 Kudos
4 Replies
Highlighted

Re: DNS Trap prevent after Activation Anti-Bot

Your description does not make much sense - looks like you sent the Malicious DNS Trap IP to your internal DNS IP...

Please consult sk106130: SmartEvent shows "Severity = <4GB" in Anti-Virus / Anti-Bot event to learn how to use this feature !

0 Kudos
Highlighted

Re: DNS Trap prevent after Activation Anti-Bot

Dear Albrecht, many thanks for your reply - I understand that I was wrong - now I delete the IP (DNS internal) from the settings on the cluste member.

I think this sk106130: SmartEvent shows "Severity = <4GB" in Anti-Virus / Anti-Bot event  was a wrong one . Please

check and reply the wright one article.

 

Danke

0 Kudos
Highlighted
Employee++
Employee++

Re: DNS Trap prevent after Activation Anti-Bot

Please review sk74060

0 Kudos
Highlighted
Gold

Re: DNS Trap prevent after Activation Anti-Bot

Thomas,

the system makes what it should with your configuration, but you are wrong.

If you set the bogus IP to your DNS server, then the traffic to your DNS server is blocked if malicious activity detected.

The bogus IP is the IP which is used as a replacement if a malicious dns request is passing your firewall.

Had a look at the article mentioned by @G_W_Albrecht and you‘ll understand how it works.

Set the bogus IP to something not existing in your network but routed through the gateway.

Wolfgang

0 Kudos