This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mikel_Aanstoot
Contributor
‎2018-11-24 11:22 AM

DNS Trap

Hello, I have configured DNS trap, first in R77.30 and we have now R80.10, according to sk74060. Also added an internal DNS server for better identification. We see some internal DNS trap alerts coming from internal DNS server. We cannot identify the real client who is actually making the DNS request. I think we have to correlate ourselves from DNS log from the internal DNS server ?

But we also see that the external IP address we are using for DNS trap is attracting a lot, a very lot, of external IP addresses trying to access this IP address on almost every port. Far more than the other external IP addresses in use. Can someone explain ? I hope not that the DNS Trap IP address is in some way now also an external attraction ? Can someone explain this a bit more indepth ?

Thanks and kind regards,

Mikel

11 Replies
PhoneBoy
Admin
Admin
‎2018-11-24 02:13 PM

The DNS Trap will only be effective if the Security Gateway is between the client and DNS server.

Otherwise, you'll just see the DNS server making the requests, which won't be terribly useful.

It's meant for internal hosts (not external ones) and the Trap IP should be a private IP address not in use in your network anywhere. 

This means even if external hosts get the Trap IP somehow, the traffic would never route to your Security Gateway from the outside.

0 Kudos
D_W
Advisor
‎2018-11-29 12:04 AM
In response to PhoneBoy

I have the same issue that our internal DNS are shown. Is there a description how to configure this so that only the clients are falling into the trap?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-11-29 05:56 AM
In response to D_W

It's basically two things:

1. A security gateway must be between the DNS Client and the DNS Server (otherwise, you'll just see the DNS server making requests)

2. You should configure the internal DNS servers in the Threat Prevention profile.

0 Kudos
SantiagoPlatero
Collaborator
‎2018-12-05 05:18 AM
In response to PhoneBoy

Hi Dameon, quick question, what do you mean exactly on the first point?

The gateway must be physically/logically between the client and server?

In my topology I have the DNS server in one VLAN (same VLAN for the gateway) and the clients in another VLANs. I have a lot of logs of DNS request (and responses to the trap) but if I have to know which client made the malicious request I have to go to the DNS server logs.

Maybe the topology is incorrect and should be like you pointed out in the post above?

Thanks!

0 Kudos
Mikel_Aanstoot
Contributor
‎2018-12-05 06:35 AM
In response to SantiagoPlatero

Hi Santiago, as long as the VLAN is routed through the gateway you should be fine I think. We have now 3 DNS servers configured, 2 internally that are not behind the gateway and one DNS server VPN tunneled to another network segment. We see both internally DNS server make the request but also the request to and from the VPN tunneled DNS server. With Identity Awareness we see username and we see the client. However the experience so far that we still see a lot of DNS traps captured but aren't necessary due to infected systems. It also happens with normal browsing from an end user. It still takes some effort to identify whether the DNS traps are from normal browsing or possible infected systems

SantiagoPlatero
Collaborator
‎2018-12-05 06:55 AM
In response to Mikel_Aanstoot

Hi Mikel, thanks for your answer.

And yes, the VLANs are routed through the gateway (at least for internet browsing).

As you say some traps aren't malicious browsing per se, but (malicious or not) almost never I could see from which client and/or user (we also have IA enabled) the request was made.

Some insight I forgot to mention is we have a Barracuda Web Filter between the gateway and the core switch, maybe it can create some issues regarding to this.

0 Kudos
Tim_McColgan
Contributor
‎2018-12-04 06:12 AM
In response to PhoneBoy

Why is this only meant for internal hosts and not external? 

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-04 07:24 AM
In response to Tim_McColgan

Not sure I see any benefit to providing this function for external hosts in general.

I could see it being useful for specific ones, but in general? No.

0 Kudos
Tim_McColgan
Contributor
‎2018-12-04 10:27 AM
In response to PhoneBoy

So thinking about it more, I guess you want to know if internal hosts are going to bad domains....

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-04 12:17 PM
In response to Tim_McColgan

Exactly, you can potentially remediate those hosts.

Ones outside your network, not so much.

0 Kudos
Viktor_Karlsson
Participant
Participant
‎2020-02-24 07:19 AM

Hi,

I read this and also the discussion and did not understand how this would work so I sent a question to PhoneBoy and got some clarity but I’m still unsure how it’s working.

 

My question was:

If you have the option turned on for DNS trap and the GW is changing the IP in the response even if there is not a GW with Anti-bot activated that is handling the traffic between the client computer and the DNS server you should see the client computer trying to communicate with the spoofed IP? Or have I misunderstood this?

 

Will the customer need to have AV activated on the GW that handles the traffic between Computer and DNS server to have full protection?

 

I also created a scenario to clarify this:

So in this scenario the Checkpoint with AV and AB installed that know that is has changed the DNS reply to a spoofed IP can identify and block the computer?

Viktor_Karlsson_0-1582557133050.png

 

The answer:

That's the basic idea, yes.
The gateway will see the DNS lookup to badsite.com and replace the real DNS lookup result with the "sinkhole" IP you've configured.
It should be an IP that no legitimate communication should go to.
The end user PC will reach a harmless site instead of the real one.

Note if the end user gets the DNS lookup a different way, the client may attempt a connection to that IP still.
In which case, if the IP itself is blacklisted by AV/AB, the connection should be blocked.

 

 

But if you know the IP that the client is trying to connect to that is located on the internet and needs to bypass the perimeter firewall with AV and AB you should see this and can identify the client as infected. (If you have specified the DNS servers)

Right? Or do you really need to have AV-AB activated everywhere to identify the infected clients?

 

Regards

Viktor

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events