Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1020
Views
5
Helpful
2
Replies

Firepower DNS policy

ccna_security
Level 3
Level 3

‎04-10-2019 11:57 PM - edited ‎02-21-2020 09:02 AM

Hello. I want to create DNS policy on firepower. But some question need to be answered. Documentation said that DNS policy blocks all malicious domain  (Attacker, Phishing, CnC, Botnet etc ). Then i read about dns sinkhole and it is used to forward malicious domain request to sinkhole server in order to identify who did this malicious activity. And sinkhole only support CnC, Malware, Phishing. My question is:

 

1. Why we dont block malicious traffic once firepower dns policy sees it.

2.  If Sinkhole support few options (Phishing, cnc, malware only) compared to DNS policy that support more than that (Attacker, Phishing, CnC, Botnet etc)

Please explain me what is significant difference between sinkhole and simple dns block. Maybe i compyletely misunderstood the topic. If so, please explain.

 

Hope you understand what i wanted to say. Sorry for poor writing in english

Labels:
0 Helpful
2 Replies 2

dejan_jov1
Level 1
Level 1

‎04-11-2019 01:23 AM - edited ‎04-11-2019 01:26 AM

Hi,

 

well, if infected client makes an bad DNS request and the firewall is not placed between the infected client and local DNS server then the Firewall will only see the bad DNS request from local DNS server. In this situation the Firepower will block the DNS request from DNS server but it will not be aware which client is making this DNS request. The solution is to configure an DNS sinkhole or bogus server that will answer on bad DNS request with his IP address so when an infected client tries to contact sinkhole IP address it will be identified by Firepower.

 

Basically it is all about place of DNS server in your network.

ccna_security
Level 3
Level 3
In response to dejan_jov1

‎04-11-2019 02:07 AM

Hi Dejan_jov1

Thanks for prompt reply. I tested DNS policy on firepower without configuring sinkhole.and  asked a user to enter malicious site that we find from global blaclisted domain name. When host entered the site (by the way i configured as Monitoring not block mode) i looked at security intellegence logs and saw that host's ip address that wanted to connect to malicious site. So, if i am able to use which host initiate the connection , why should i configure sinkhole?

 

We have 2 dns server. on logs we observed that  host(H) request send to DNS1 server through firewall. Then DNS1 server send request to second DNS2 server through firewall. You are right in this point i am not able to see which host initiated request if only logs shows requests between DNS1 and DNS2. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card