This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NorthernNetGuy
Advisor
‎2023-03-06 08:08 AM

DNS Reputation Cache timer

Hi All,

 

For DNS reputation protections, I'm trying to find how long the cache time is, and where the config file to modify this is.

 

IIRC the AV blade for DNS reputation detects the first attempt, and then blocks all future attempts for queries if it was flagged and cached as bad. this cache I think clears after 12 hours, but i'd like to verify the time on this. My client may want to adjust this to a longer timer before clearing the reputation.

 

Thank you

0 Kudos
6 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-03-06 04:28 PM

IIRC some operations are based on DNS TTL others are based on how full the relevant RAD cache is...

 

Relevant resources include:

sk92224: Optimizing the categorization of DNS traffic by changing the Resource Classification Mode, for Anti-Virus and Anti-Bot
sk110214: How to clear DNS cache of HTTP/HTTPS Proxy function without 'cpstop'
sk89340: Traffic latency might be caused by Anti-Bot / Anti-Virus resource categorization mode set to 'Hold'
sk74120: Why Anti-Bot and Anti-Virus connections may be allowed even in Prevent mode
sk92264: ATRG: Anti-Bot and Anti-Virus 

sk90422: How to modify URL Filtering cache size?

CCSM R77/R80/ELITE
NorthernNetGuy
Advisor
‎2023-03-08 06:26 AM
In response to Chris_Atkinson

I've reviewed these SKs now, and I'm not finding enough info on the DNS cache within them.

 

from the malware_config file, there is the [dns info] section, which just has a 300TTL and enable variable. I'm wondering if this TTL is 300 minutes/5 hours for the AV cache. Can anyone confirm?

 

Also not seeing anything indicative of changing this within the rad_conf.C

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-08 10:15 AM
In response to NorthernNetGuy

I would assume the TTL is in seconds, which is how the underlying DNS expresses TTL.

0 Kudos
the_rock
Legend
Legend
‎2023-03-06 04:52 PM

You could check below file on mgmt server:

$FWDIR/conf/malware_config 

yalmog
Employee
Employee
‎2023-03-16 10:26 PM

Hi, the timer is determined by threadCloud for each url, usually 10-24 hr. It cannot be changed. The ttl in malware_config is not in use.

 

 

 

0 Kudos
Albin
Contributor
Contributor
‎2024-02-14 04:46 AM
In response to yalmog

Is this still the case?

For environments with huge amount of DNS traffic, the cache of 400K might get full and the  built-in clearing functions are not sufficient. The next step would be to modify the TTLs so unncessary DNS cache entries does not last as long.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events