Hi,
I read this and also the discussion and did not understand how this would work so I sent a question to PhoneBoy and got some clarity but I’m still unsure how it’s working.
My question was:
If you have the option turned on for DNS trap and the GW is changing the IP in the response even if there is not a GW with Anti-bot activated that is handling the traffic between the client computer and the DNS server you should see the client computer trying to communicate with the spoofed IP? Or have I misunderstood this?
Will the customer need to have AV activated on the GW that handles the traffic between Computer and DNS server to have full protection?
I also created a scenario to clarify this:
So in this scenario the Checkpoint with AV and AB installed that know that is has changed the DNS reply to a spoofed IP can identify and block the computer?
The answer:
That's the basic idea, yes.
The gateway will see the DNS lookup to badsite.com and replace the real DNS lookup result with the "sinkhole" IP you've configured.
It should be an IP that no legitimate communication should go to.
The end user PC will reach a harmless site instead of the real one.
Note if the end user gets the DNS lookup a different way, the client may attempt a connection to that IP still.
In which case, if the IP itself is blacklisted by AV/AB, the connection should be blocked.
But if you know the IP that the client is trying to connect to that is located on the internet and needs to bypass the perimeter firewall with AV and AB you should see this and can identify the client as infected. (If you have specified the DNS servers)
Right? Or do you really need to have AV-AB activated everywhere to identify the infected clients?
Regards
Viktor