This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
David_C1
Advisor
‎2020-03-10 10:49 AM

Updatable Objects and DNS queries

In our lab environment, we have created two rules which use four different Updatable objects :

 

Azure Services

Okta Services

Office365 Worldwide

Office365 Worldwide Services

 

Once these rules were added, our gateways started submitting a large amount of DNS queries, upwards of 435,000 an hour. That's a lot of queries, it looks like most domains are queried 4 times a minute.  Is this expected behavior, and is there any way to change some setting(s) to decrease this number?

 

Thanks,

 

Dave

7 Replies
PhoneBoy
Admin
Admin
‎2020-03-11 01:03 PM

What version/JHF level?
David_C1
Advisor
‎2020-03-11 01:52 PM
In response to PhoneBoy

R80.20 w/Jumbo HFA Take 134

 

Dave

Daniel_Taney
Advisor
‎2020-03-11 01:54 PM
In response to David_C1

I have observed similar behavior on R80.20 using Updatable Objects for Office 365. It hasn't caused any problems that I've noticed, so I wasn't raising the issue to TAC. But I have noticed it happening.

R80 CCSA / CCSE
David_C1
Advisor
‎2020-03-12 05:46 AM
In response to Daniel_Taney

Thanks for the verification. It's good to know this might be "normal" behavior, and like you I haven't seen any impact to the gateway. Where we noticed is with our SIEM, since we pull in DNS logs from our DNS servers. It has seriously increased the number of events in our SIEM.

 

Still curious if there is a way to adjust settings so at least the queries do not happen so often.

 

Dave

Daniel_Snyder
Participant
‎2020-03-12 12:03 PM
In response to David_C1

Same issue here when we test O365 updateable object. It is because the updateable objects for O365 have wildcard domains and the gateways treat those lookups differently. For wildcard domains, from my understanding, each packet will be checked which leads to the increase in DNS. Normal FQDN will use a cached entry.

As a side note, in R80.20 (not sure on new versions) you will notice that for each DNS query sent by the gateway, another one to two will be sent with 'www' appending. This will lead to a lot of NXDOMAIN responses and additional load on DNS server. So all this builds up. The fix is to add the below parameter to the fwkern.conf file (create if it doesn't exist). You will need to reboot for fix to be applied since it won't take on the fly

/var/opt/fw.boot/modules/fwkern.conf
add_www_prefix_to_domain_name=0
WalterGodefroid
Explorer
‎2021-06-02 11:40 PM

We got the same problem on R80.30 take 226. That behavior has triggered a "DNSAttack (Possible DNS attack detected. Abnormal conditions: UDPv4 errors at XX%)" situation on our Infobloxes, causing a P2. The Infoblox started the "attack mitigation" throttling all DNS request, dropping lots of legit requests.

It is not that our Infobloxes are undersized. The CP's are just querying too much.

wgodefroid
0 Kudos
WalterGodefroid
Explorer
‎2021-08-11 06:33 AM
In response to WalterGodefroid

just-for-the-record: a possible workaround should be incrementing the rad_kernel_domain_cache_refresh_interval  parameter, from 60 to 120, together with a CP engineer. That was the feedback from our support case.

But we have choose to let it as-is...

wgodefroid
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top