Question about Security Intelligence in firepower.

FredrikW73 · ‎05-14-2021

DNS based Security Intelligence blocks attempts to resolve black listed names in DNS requests.
Does it also block DNS responses containing referalls to black listed names?

For example, I try to resolve A (which is a white name).
The response does not contain an answer for A but rather
a referral to nameserver B (which is black listed).

Would the response be blocked by DNS based Security Intelligence?

Marvin Rhoads · ‎05-14-2021

If I understand the scenario correctly, wouldn't the client then need to resolve the referral as well? Or if it was just to an IP address perhaps the IP address would be picked up in the SI address blacklist.

FredrikW73 · ‎05-17-2021

The scenario is this, the client looks up a white name via a resolver.

The resolver get a referral back, without any IP-adresses, but containing a name of a black listed name server.

Will the referral be blocked so that the resolver never gets to know black listed name?

I understand that if the resolver gets the referall then it will perform a look up for the black listed name and that would be blocked.

Thing is, our internal DNS act as a resolver for our clients. We see that our internal DNS makes lookups for black listed names,

but no client have tried to lookup the names. My theory is that referrals trigger these lookups from the internal DNS.

That would not work though if referrals for black listen names where blocked by security intelligence.