This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin
‎2023-07-26 09:41 AM

Hacking DNS TechTalk: Video, Slides, and Q&A

Slides attached below.
Q&A appears below the video.

(view in My Videos)

Do you have a recent statistics what's the percentage of secure DNS requests (TCP/853, HTTPS etc.) in total name resolver traffic nowadays?

Roughly 5%.

How many Root Servers all over the world and how sync is done among them?

There are 13 root servers. More details here.

Is PTR the same as reverse lookup?

Yes, PTR records are IP to name mappings.

What book is Ralph recommending? 

DNS and Bind (5th Edition) by Cricket Liu and Paul Albitz. It's available on Amazon (among other places): https://www.amazon.com/DNS-BIND-5th-Cricket-Liu/dp/0596100574/ref=sr_1_1?crid=3FWUOTXHYDAO&keywords=...

What kind of adoption are you seeing DNSSEC getting?

According to the public source, it is not growing fast, currently roughly at about 5% usage.

What is the best practice for the TTL?

Unless the IP address for the record changes regularly (i.e. dynamic IP), the TTL should not be short. A short TTL will increase load on your DNS servers.

How do Check Point customers detect/prevent DNS tunneling attacks?

Use our Threat Prevention blades. Specifically:

  • IPS: preventing known attacks trying to utilize known vulnerabilities on DNS infrastructure
  • Anti-Virus: preventing download of malicious files
  • Anti-Bot: preventing access to known malicious sites and verifying traffic behavior
  • DNS requests are verified against ThreatCloud. In case of being malicious, the request is answered with the DNS Trap IP address as response (see sk74060 and Threat Prevention Administration Guide R81.10 for details). For DNS Tunneling protection, see sk178487.
  • Protocol Parsers (Inspection Settings): making sure protocols respect defined standards

Can Check Point ingest external threat feeds?

We have various methods to ingest threat feeds, yes (ioc_feeds using AV/AB in R80.x, Network Feeds in R81.20+). If you are ingesting threat feeds (regardless of mechanism), it is HIGHLY recommended to upgrade to R81.20 since it is able to support substantially more indicators.

Can you explain the deep learning part - how does it does this?

Out of scope for this session, but we intend to cover it in the future.

Preview file
2497 KB
(2)
Who rated this post