Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Shahar_Grober
Advisor

URL Filtering using DNS

I had an interesting discussion about performing URL filtering using DNS only instead of URLs which allows faster resolving and will allow controlling of remote offices internet traffic without deploying URL Filtering on remote gateways or force redirection of internet traffic through the corporate gateway. This means that all DNS requests from remote offices are inspected by the gateway and allowed/blocked based on the DNS resolving. I know that the Anti-bot uses DNS for malicious website and also according to the "the R80.x Security Gateway Architecture (Content Inspection)" the RAD is using DNS as well but I am wandering if the URL filtering can be done based on the DNS request of the remote hosts or the http/https connection has to be opened and pass through the gateway.

This is similar to OpenDNS solution for Web Content filtering Web Content Filtering and Security – OpenDNS

Any insights are welcome. 

11 Replies
G_W_Albrecht
Legend
Legend

i would suggest sk92743 ATRG: URL Filtering for technical details.

CCSE CCTE CCSM SMB Specialist
0 Kudos
Shahar_Grober
Advisor

I already looked at it. There is no mention to use of DNS by URLF or RAD

L Filtering Categorization Flow

although the "R80.x Security Gateway Architecture (Content Inspection)" says that there is use of DNS with RAD

It would be nice to know if Check Point can support the scenario in my original question or not 

G_W_Albrecht
Legend
Legend

I do not think that this is possible - URLF checks the URL in the internal database first and, if niot successfull, sends a request to online detection service. So, no DNS is contacted here before the URL categorization is finished. The OpenDNS solution rather is a competitor to CP URLF with very a small set of features.

CCSE CCTE CCSM SMB Specialist
0 Kudos
Shahar_Grober
Advisor

Thanks for the information Gunthar, 

No argue that CP can provide better functionality than OpenDNS. I was just wandering if Check Point can provide similar functionality giving the fact that the infrastructure already exist with Anti-bot to block malicious DNS requests

0 Kudos
G_W_Albrecht
Legend
Legend

CP is using very similar functionality, but does not disguise itself as DNS server 😉 Did you read sk31727 and sk35484 already ?

CCSE CCTE CCSM SMB Specialist
Shahar_Grober
Advisor

This is good information. bottom line is that Check Point products do not implement DNS server functionality and therefore cannot perform URL filtering based on DNS requests. 

0 Kudos
PhoneBoy
Admin
Admin

DNS doesn't factor into URL filtering at all.

The main problem with using DNS as I see it is that a number of sites could use the same IP address.

You may allow access to some sites on the same IP, but block others.

Also I could access a given IP without doing a DNS lookup (e.g. Because of caching, poisoned or otherwise).

0 Kudos
G_W_Albrecht
Legend
Legend

Let me put it like this: With OpenDNS, you use the DNS lookup for performing URLF. With CP URLF, no DNS request will be made at all if the URL is blocked.

CCSE CCTE CCSM SMB Specialist
0 Kudos
Shahar_Grober
Advisor

Deamon and Gunther,

Thanks for the answers. I agree that using URLF is the best possible solution. I am trying to figure out what is the best solution if I can't route end users traffic through the gateway. I am thinking about Endpoint security with URLF blade will be a suitable replacement but it is not deployed at the moment. what do you think?

0 Kudos
PhoneBoy
Admin
Admin

Either Endpoint URLF or Capsule Cloud would be reasonable in these cases.

Both would work regardless of where the end users are.

Ranokarno_Ranok
Participant

I agree with Shahar Grober
it will be better if Checkpoint can perform dns filtering instead of relying on 3rd party appliances such as infoblox or other dns firewall outside.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events