- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: URL Filtering using DNS
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
URL Filtering using DNS
I had an interesting discussion about performing URL filtering using DNS only instead of URLs which allows faster resolving and will allow controlling of remote offices internet traffic without deploying URL Filtering on remote gateways or force redirection of internet traffic through the corporate gateway. This means that all DNS requests from remote offices are inspected by the gateway and allowed/blocked based on the DNS resolving. I know that the Anti-bot uses DNS for malicious website and also according to the "the R80.x Security Gateway Architecture (Content Inspection)" the RAD is using DNS as well but I am wandering if the URL filtering can be done based on the DNS request of the remote hosts or the http/https connection has to be opened and pass through the gateway.
This is similar to OpenDNS solution for Web Content filtering Web Content Filtering and Security – OpenDNS.
Any insights are welcome.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i would suggest sk92743 ATRG: URL Filtering for technical details.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I already looked at it. There is no mention to use of DNS by URLF or RAD
L Filtering Categorization Flow
although the "R80.x Security Gateway Architecture (Content Inspection)" says that there is use of DNS with RAD
It would be nice to know if Check Point can support the scenario in my original question or not
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not think that this is possible - URLF checks the URL in the internal database first and, if niot successfull, sends a request to online detection service. So, no DNS is contacted here before the URL categorization is finished. The OpenDNS solution rather is a competitor to CP URLF with very a small set of features.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the information Gunthar,
No argue that CP can provide better functionality than OpenDNS. I was just wandering if Check Point can provide similar functionality giving the fact that the infrastructure already exist with Anti-bot to block malicious DNS requests
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CP is using very similar functionality, but does not disguise itself as DNS server 😉 Did you read sk31727 and sk35484 already ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is good information. bottom line is that Check Point products do not implement DNS server functionality and therefore cannot perform URL filtering based on DNS requests.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DNS doesn't factor into URL filtering at all.
The main problem with using DNS as I see it is that a number of sites could use the same IP address.
You may allow access to some sites on the same IP, but block others.
Also I could access a given IP without doing a DNS lookup (e.g. Because of caching, poisoned or otherwise).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let me put it like this: With OpenDNS, you use the DNS lookup for performing URLF. With CP URLF, no DNS request will be made at all if the URL is blocked.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Deamon and Gunther,
Thanks for the answers. I agree that using URLF is the best possible solution. I am trying to figure out what is the best solution if I can't route end users traffic through the gateway. I am thinking about Endpoint security with URLF blade will be a suitable replacement but it is not deployed at the moment. what do you think?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Either Endpoint URLF or Capsule Cloud would be reasonable in these cases.
Both would work regardless of where the end users are.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree with Shahar Grober
it will be better if Checkpoint can perform dns filtering instead of relying on 3rd party appliances such as infoblox or other dns firewall outside.