Malware DNS Trap is used to identify compromised clients attempting to access known malicious domains. When this feature is enabled, gateway does not block DNS requests that were identified as malicious. The response is tampered and a false (bogus) IP address is returned to the client. Using the Malware DNS Trap you can then detect compromised clients by checking logs with connection attempts to the false IP address. Consecutive connections addressed to the bogus IP are blocked.
- When the gateway allows the DNS request, it generates a DNS reputation log with "Connection was allowed because a DNS trap was set" description.
- When the gateway tampers the DNS response, the description of the DNS reputation log is replaced with "DNS response was replaced with a DNS trap bogus IP" description.
- Connections to the bogus IP are logged with DNS Trap protection type and "Connection to DNS trap bogus IP" description.
User can set the bogus IP address to be the IP address of the Gateway's external interface or another IP address. When the Gateway's external interface is defined as the bogus IP, this feature may cause drops of connections addressed to the gateway. Therefore, it is recommended to define a bogus IP address and not use the external interface of the Gateway.
The configuration of the DNS trap can be found in the Anti-Bot and Anti-Virus section on the Security gateway object:
- In SmartConsole, click Gateways & Servers and double-click the Security Gateway.
The gateway window opens and shows the General Properties page.
- From the navigation tree, select Anti-Bot and Anti-Virus.
- In the Malicious DNS Trap section, choose one of the options:
- According to profile settings - use the Malware DNS Trap IP address configured for each profile.
- IPv4 - enter the IP address for all the profiles assigned to this Security Gateway:
and to set the Malware DNS Trap parameters in the Anti-Bot and Anti-Virus profile:
- In SmartConsole, select Security Policies > Threat Prevention
- From the Threat Tools section, click Profiles.
- From the navigation tree, click Malware DNS Trap:
The default value for DNS trap IP is 126.96.36.199.
If for some reason, the default IP address 188.8.131.52 cannot be used as a DNS trap, you can define a specific IP address. At the Security Gateway level, you can configure to use the settings defined for the profiles or a specified IP address that is used by all profiles used on the specific gateway.
When the Gateway's external interface is defined, there is a list of ports for which gateway addressed traffic will not be blocked. This list can be edited in $FWDIR/conf/malware_config file in dns_redirection_exceptions section.
For information about how to configure a Malware DNS Trap, refer to R80.20 Threat Prevention Administration Guide or R77 Threat Prevention Administration Guide
Related solution: sk92224 - Resource Categorization for Anti-Bot / Anti-Virus DNS Settings optimization