Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
jgarcias
Participant

Log DNS query

Hello everybody,

 

Actually we have several gateway clusters in our environment. By default we are logging DNS traffic (UDP 53) but we can see that actually only the connection itself is being logged

 

Does somebody know how to log the query in the DNS packet? I would like to see the queried domain in the log. I can see that there is a field named "DNS query" and "DNS Query Type" but both are empty so I think it should be an option to enable the gateway to fill that fields.

 

 

Thanks

13 Replies
PhoneBoy
Admin
Admin

What is the precise rule that is accepting the traffic?
I suspect it needs to done with an App Control rule (something that logs Detailed or Extended).

0 Kudos
jgarcias
Participant

Our goal is having the queried domain name in the DNS logs, so as we can export it to a SIEM (via logexporter) and have the DNS request information, not only the connection.

We have some internal applications that tries to access different services (rare or custom protocols) and URLF/APP CONTROL does not show that information, but if we could log that in the DNS, at least we could see the domain name requested.

 

Thanks

0 Kudos
jgarcias
Participant

any tip on how to achieve that, @PhoneBoy

0 Kudos
PhoneBoy
Admin
Admin

I thought there was an App Control signature that did this, but it doesn't appear there is one.
This is probably an RFE, but it might be worth a TAC case to confirm.

0 Kudos
CheckMate-R77
Contributor

@CheckPoint

Come on,

years go by and such a simple issue is not resolved yet? Top next gen firewall can't cope with so trivial task as DNS queries logging? Are You serious?

0 Kudos
(1)
Lesley
Leader Leader
Leader

Have you requested a RFE for this?

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
CheckMate-R77
Contributor

Yes, I have - right after Your question.

Thanks for hint.

0 Kudos
_Val_
Admin
Admin

what issue? can you please be more specific?

0 Kudos
CheckMate-R77
Contributor

It's all about DNS transactions logging - mainly queries. It's simple UDP 53 plain text. Is there any way to show them in logs? Any sk number or something else? 

0 Kudos
Lesley
Leader Leader
Leader

Maybe this: https://support.checkpoint.com/results/sk/sk116694

Version is EOL but worth a shot.

Although DNS is getting more and more encrypted (the request). Then firewall cannot see it anymore. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
_Val_
Admin
Admin

Got it. Please open a TAC request for this.

0 Kudos
CheckMate-R77
Contributor

Let me ask what kind of SIEM do You have? Don't You have network sensor listening on the wire (TAP, port mirroring or promiscous)? Is Your issue resolved by now?

0 Kudos
liwo
Explorer

I'm looking to implement something similar - did you get anywhere with this?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events