Create a Post
D_W
Advisor

DNS Trap Detect

Jump to solution

Hi Mates,

in the Logs we often see AV Protection hits with "detect" as action. Most time it is because of "DNS response was replaced with a DNS trap bogus IP. See sk74060 for more information."

Now in the overview there are a lot of Action "Detect" instead of Action "Prevent" and this will be misinterpreted and leads to boring questions and confusion for some people.

Is it possible to change this to Action "Prevent" because according the description the attack was prevented by replacing the DNS response with a bogus IP!?

grafik.png

thx
David

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

I could have sworn we changed these logs to prevent in R81, but could be wrong about that.

View solution in original post

0 Kudos
4 Replies

That's "by design" - if you use DNS trap, DNS response needs to be delivered to the client so it starts the connection to the dummy IP. And that it turn is blocked and visible in logs.

It actually says that in description of SK.

If you wan to prevent, disable DNS trap feature.

0 Kudos
PhoneBoy
Admin
Admin

I could have sworn we changed these logs to prevent in R81, but could be wrong about that.

0 Kudos

We certainly did per:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_RN/Topics-RN/Software-Changes.htm

"Log description change for DNS sinkhole trap - log is changed to Prevent instead of Detect, the Security Gateway prevents users from reaching malicious sites."

D_W
Advisor

Perfect good to know!
We're here still on R80.40.

thx!!

0 Kudos