Hi Nick,

Thank you for taking the time to reply to me. I should clarify that I would block non-FQDN domains, blocking up to the first 10 layers of sub-domains. Is it only possible to achieve "blocking a list of domain names" by using Domain Objects, or are there other options available? I worry that it would not be optimal to place hundreds of domain names into a Domain Object.

Is there anyway for me to use Application Control & URL Filtering to achieving blocking a list of domain names instead?

I reviewed sk120633 and sk90401 prior to this, so I am familiar with the documentation; although, I am new to Checkpoint Firewall, so I'm taking things one step at a time.

Hi PhoneBoy,

Thank you for your feedback. Someone had mentioned the Anti-Bot DNS Trap solution before, but it didn't seem feasible at the time since all of the documentation and community discussion that I've read has pointed to Domain Objects. Your suggest solution sounds promising.

So, if we enable the Anti-Virus and/or Anti-Bot blades, we can enable Malware DNS Trap Activitation, point the traffic to a bogus IP, and import a list of domain names to block from a CSV? If this actually works, then this sounds perfect.

For the domains that we would like to block, would there be any performance issue if I pointed 10,000+ domain names to bogus IP addresses? What overhead could the DNS Trap solution cause, and why?

If you could answer these questions for me, I'll be very grateful! I'm sure other readers will be grateful as well.

PhoneBoy, again, thank you for your useful feedback.

If we are only using a Firewall, will the performance impact be comparable to what it would be if we were to use IPS and/or App Control? An explanation of the performance impact is likely the last thing that I would like to request from the community here; where does the performance impact come from?

Also, to vaguely answer Wolfgang's question, we have a custom list of domain name addresses that we want to block, even if they are not registered yet. I understand that CheckPoint maintains separate lists of threat intel feeds, but our custom list focuses on very specific targeted attacks. The list may not actually be 10,000 domain names, maybe a few thousand, but I thought that I'd be safe and use a larger number.

Hello PhoneBoy,

We have implemented the first part for the DNS Traps,

But for uploading the Domains is there a specific format for the objects,

We have our blocked domains in a CSV already and already created in the Domain.

Can we use a group? or do we have to re run the CSV and will that cause any issues with the existing domains? Are they dynamic objects or regular host? Because the example given does not look like the regular CSV object we used from the API example.

Is there a known upper limit to the number of blocks that can be added? Have a prospect asking for this. 

Hi @PhoneBoy. Thanks for sharing this method. Do you still recommend this method for blocking domains (fqdn and non fqdn) for R80.40 (take 118) ? I basically have it how Nick mentioned above, however I am learning it may not be exactly efficient and may have unintended consequences if the domain resolves to a cloud provider (aws, etc.) Can you please show an example of the csv? Thanks! 

You can still use this, yes.
My answer marked as correct above has an example, and you can also find an example in the R80.40 Threat Prevention guide.

Hello,

we have an issue sending emails to specific domain and per diagnosis it was found that the issue is DNS malware trap and bogus IP. I found an article -> https://support.checkpoint.com/results/sk/sk74060

My question is should this be resolved per article documentation or should I solve this as you proposed but instead "deny" set to "accept".   

Looking forward to your reply,

Klemen

This is an old enough thread that I recommend starting a new one with the relevant details to your query.