Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Thomas_Bauer
Contributor

DNS Trap prevent after Activation Anti-Bot

Hi together,

 

since I activated on CP SGW's (R80.10/R80.20 and R80.30) members Anti-Bot I have trouble with DNS requests.

Time to time User cann't get access to Internet, because Anti-Bot Prevent from

SRC: Internal User 

DST: Internal DNS Server (10.1.1.67)

with protection Details:

dns-trap-blocked.JPG

 

Mgmt Server R80.30. This issue occurs only to DNS IP: 10.1.1.67. 

By activation Anti-Bot (on Cluster Member ) we add following IP (10.1.1.67) - yellow marked:

Unbenannt.JPG

What's the reason about it  - 

1.) DNS Trap with prevent to internal DNS (needed !)  ?

2.) In Detail Log u can see under Forensics Details:   d2cb5ad7002c4066.huaweisafedns.com    ?

0 Kudos
4 Replies
G_W_Albrecht
Legend Legend
Legend

Your description does not make much sense - looks like you sent the Malicious DNS Trap IP to your internal DNS IP...

Please consult sk106130: SmartEvent shows "Severity = <4GB" in Anti-Virus / Anti-Bot event to learn how to use this feature !

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Thomas_Bauer
Contributor

Dear Albrecht, many thanks for your reply - I understand that I was wrong - now I delete the IP (DNS internal) from the settings on the cluste member.

I think this sk106130: SmartEvent shows "Severity = <4GB" in Anti-Virus / Anti-Bot event  was a wrong one . Please

check and reply the wright one article.

 

Danke

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Please review sk74060

CCSM R77/R80/ELITE
0 Kudos
Wolfgang
Authority
Authority

Thomas,

the system makes what it should with your configuration, but you are wrong.

If you set the bogus IP to your DNS server, then the traffic to your DNS server is blocked if malicious activity detected.

The bogus IP is the IP which is used as a replacement if a malicious dns request is passing your firewall.

Had a look at the article mentioned by @G_W_Albrecht and you‘ll understand how it works.

Set the bogus IP to something not existing in your network but routed through the gateway.

Wolfgang

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events