This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Christian_Koehl
Collaborator
Collaborator
‎2021-02-19 06:01 AM

updateble objects casing mass of DNS requests

Hi folks,

I have some trouble with updateble objects.

When updateble objects for "office 365" and "Amazon web service" are activated, my gateway sends about 110-120 DNS request per seconds --> means more than 400.000 request per hour.
When deactivating the updateble objects, the DNS request stops immediately.


Mgmt: MDM, R80.40, JHF-91
Gateway: VSX Gateway Cluster, R80.30, JHF-227, DNS request are send by VS2


Any idea?

Best regards,
Christian

0 Kudos
5 Replies
Vladimir
Champion
Champion
‎2021-02-19 06:10 AM

Hmm... I would expect the Updatable Objects to cause the bursts of periodic DNS requests, but not perpetually at the rate you are describing.

are you sure that your VS2 is getting the replies to those queries?

0 Kudos
Christian_Koehl
Collaborator
Collaborator
‎2021-02-19 06:32 AM
In response to Vladimir

I have tcpdump showing sending of DNS request (using the cluster ip of VS2) and receiving the DNS responses.

What looks a little bit strange is, only two different source port in the DNS request were used by VS2.

0 Kudos
Alex-
Leader Leader
Leader
‎2021-02-19 07:15 AM
In response to Christian_Koehl

Did you check you're matching all the requirements of sk131852?

0 Kudos
Jerry
Mentor
Mentor
‎2021-02-22 03:34 AM
In response to Christian_Koehl

I've had very similar scenario where VS out of 10 other VS's was having in a policy may "updatable objects" including many "countries" in a drop/allow lists. depending on what countries were "eliminated" and which were simply dropped without logging like "stealth" filtering.

The level of traffic (udp/53) between that VS and luckily "very local" DNS server was like 2-4 MB/s constant stream 24/7/365. After roughly about the year that DNS server was replaved with much stronger and more powerful machine as DNS become a bottleneck to the "responses" being serverd to that VS (Internet Perimeter FW). This was giving more resources to the DNS server itself sorted the issues out and internal-power of DNS made the stream between the VS and DSN down to 500-600kb/s instead. Simply put, the way the updatable objects works is not that harmful to the VS's as long as your DNS can cope and swallow such amount of "queries" all-day-long. every day.

I had similar scenario with appliances "stand-alone" as well as "remotely-managed" gateways where on R81 just now that problem disappeared but one thing remained crucial - DNS server capabilities and its "responsiveness" in general.

that's just my 5 cents. hope it helps somehow 🙂

Jerry
0 Kudos
Micky_Michaeli
Employee
Employee
‎2021-02-22 02:58 AM

Hi @Christian_Koehl,

According to sk131852, "External services providers publish lists of IP addresses, or Domains, or both, to allow access to their services. These lists are dynamically updated. Updatable objects derive their contents from these published lists of the providers". Office 365 object contains many domains which require these DNS queries, so this is the expected behavior. Reducing the amount of DNS queries without having matching issues is something we have in our roadmap.

Best regards,

Micky

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events