Malware DNS Trap identifies compromised clients that try to access known malicious domains. When this feature is enabled, the Gateway does not block DNS requests identified as malicious. The response is tampered with, and a false (bogus) IP address is returned to the client. With the Malware DNS Trap, you can then detect compromised clients by checking logs with connection attempts to the false IP address. Consecutive connections addressed to the bogus IP are blocked.

• When the Gateway allows the DNS request, it generates a DNS reputation log with "Connection was allowed because a DNS trap was set" description. 
  
  
• When the Gateway tampers the DNS response, the description of the DNS reputation log is replaced with "DNS response was replaced with a DNS trap bogus IP" description.
  
  
• Connections to the bogus IP are logged with DNS Trap protection type and "Connection to DNS trap bogus IP" description. 

You can set the bogus IP address to be the IP address of the Gateway's external interface or another IP address. When the Gateway's external interface is defined as the bogus IP, this feature may cause drops of connections addressed to the Gateway. Therefore, it is recommended to define a bogus IP address and not use the external interface of the Gateway.

Note: When a client tries to connect to a bogus IP address after receiving a reply to the original DNS request, the connection is blocked on the first (SYN) packet. Accordingly, there is nothing to capture.

DNS Trap Configuration

In the Anti-Bot and Anti-Virus section of the Security Gateway object:

1. In SmartConsole, click Gateways & Servers and double-click Security Gateway.
   The Gateway window opens and shows the General Properties page.
2. From the navigation tree, select Anti-Bot and Anti-Virus.
3. In the Malicious DNS Trap section, choose one of the options:
   • According to profile settings - use the Malware DNS Trap IP address configured for each profile.
   • IP - enter the IP address for all the profiles assigned to this Security Gateway:

   

   The default value for DNS trap IP is 62.0.58.94. 

   If for some reason you cannot use the default IP address 62.0.58.94 as a DNS trap, you can define a specific IP address. At the Security Gateway level, you can use the settings defined for the profiles or a specified IP address that is used by all profiles used on the specific Gateway. 

   When you define the Gateway's external interface, there is a list of ports for which Gateway addressed traffic will not be blocked. You can edit this list in thye $FWDIR/conf/malware_config file in the dns_redirection_exceptions section.

To set the Malware DNS Trap parameters in the Anti-Bot and Anti-Virus profile: 

For R81.x:

1. In SmartConsole, select Security Policies.
2. From the Custom Policy Tools section, click Profiles.
3. Edit the relevant Profile and go to Malware DNS Trap:
   

   

For R80.x:

1. In SmartConsole, select Security Policies. 
2. From the Threat Tools section, click Profiles.
3. Edit the relevant Profile and go to Malware DNS Trap:
   
   

 

For information about how to configure a Malware DNS Trap, refer to Threat Prevention Administration Guide. 

Related solution: sk92224 - Resource Categorization for Anti-Bot / Anti-Virus DNS Settings optimization