Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Thomas_Eichelbu
Advisor

Is there a way to create a byass/exception for DNS Sinkhole?

Hello Check Mates

Is there a way to create a byass/exception for DNS Sinkhole?

Sometimes we run into some special scenarios when running DNS Sinkhole.
The good thing, this feaure works great, but sometimes too great.

 

For example:
Some customers are conductiong Phishing Awareness trainings, they send out special crafted training emails and teach their personal not to click on any of those funny links.
With DNS Sinkhole in place this never works, it always kills the DNS request.
For some special DNS resources we will need exclusions to allow them, even when Check Point is convinced this resources are highly infected and super evil ...

Has somone ever ran into these? 

best regards

0 Kudos
2 Replies
Chris_Atkinson
Employee
Employee

Normal exceptions for the site/domain on your TP rule should do the trick?

Refer: https://community.checkpoint.com/t5/Threat-Prevention/DNS-Reputation-Exception/m-p/55745

Timothy_Hall
Champion
Champion

Probably the best way to do this is to first define a Custom Application/Site site object that has the site name/URL of the legit phishing server in it.  Then create a global TP exception and in the Protection/Site/File/Blade column select "User Applications", and then select the custom site name you made.   Next set the Action of the new exception to Detect or Inactive.  This should exclude any enforcement against that site name and would definitely work for the five TP blades, but the Malware DNS trap is kind of in its own little world to some degree and this exception may not work properly.  You'll have to try it and see what happens.

 

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com