This article explains how to choose which DNS protections your account enforces as part of the IPS service.
Cato's DNS Protection enhances the IPS service and gives you granular control over the level of security for DNS traffic in your account. The different types of DNS protection that Cato provides are listed in the DNS Protection page (Security > DNS Protection) and you can enable or disable specific protections to meet the needs of your organization.
Cato continually updates DNS domains and categories and adds new types of protections to the DNS Protection page.
DNS Protection provides robust security by blocking DNS requests before there is a connection between the host and the malicious server (no TCP or UDP handshake). When DNS Protection is disabled, the IPS service still provides some protections for DNS threats, however it doesn't cover all the threats covered by DNS Protection, and they are blocked at a later stage, when the destination is accessed. Therefore, we recommend as a best practice to enable both IPS and DNS Protection.
You can use the Threat Catalog to see the DNS protections included in the basic IPS service and those included in DNS Protection.
When a DNS request is blocked, it is often not possible to identify the IP address of the original host making the request, due to the request passing from the host through other devices such as private DNS servers or access points. Cato provides a DNS sinkholing option that solves this issue and identifies the IP addresses of infected hosts on the network issuing malicious DNS requests.
When a DNS protection is set to the Sinkhole action, the DNS Protection engine returns a forged response to the host querying the malicious domain, resolving the query to the IP address of a designated Cato sinkhole server. Cato pushes an IP in the Cato system range (such as 10.254.x.x) to the host. The host then attempts to connect directly over the Internet to that IP address, enabling the IPS service to identify the host IP address. The service blocks the traffic and reports the host IP address as the Source IP in the event log.
When the Sinkhole action is performed on a traffic flow, two events are generated. The first event reports the execution of the Sinkhole action taken when the host initially queries the malicious destination, and the Source IP field may not reflect the address of the client host. The second event reports that the DNS request was blocked when the host attempted to connect to the sinkhole server, and the action for the event is also Sinkhole. This second event reports the actual host IP address in the Source IP field. This lets you easily identify infected hosts on your network by filtering the Events page to show events for all traffic connecting to the sinkhole server IP address.
For more about DNS Protection events, see below Analyzing DNS Protection Events.
End-user Experience of the Block and Sinkhole Actions
When the IPS engine blocks a DNS request, the connection to the domain is dropped before the end-user receives a DNS response.
When a DNS request is sinkholed, the end-user receives a DNS response, and the connection is dropped when the host attempts to connect to the sinkhole server.
-
DNS Protection is included in the IPS license. For more about purchasing the IPS license, please contact your Cato representative.
This is an example of the workflow for the Malicious Domains DNS protection, and when a host tries to access a malicious domain.
-
The host device tries to access a malicious domain from the browser.
-
The IPS engine identifies that there is a DNS request to a malicious domain and blocks the DNS request.
-
The DNS request is blocked before there is a connection between the host and the malicious server (no TCP or UDP handshake).
Use the DNS Protection page to select which types of DNS Protections the IPS engine enforces for your account. When you enable DNS Protection for your account, the IPS engine inspects every DNS request sent over the Cato Cloud. DNS requests are inspected also for accounts that don't use Cato as their DNS server, and use a private DNS server instead.
For each DNS protection you can set one of the following actions:
-
Allow - The IPS engine does not enforce the protection, however an event is generated to let you monitor the traffic.
-
Block - The IPS engine blocks the DNS requests for traffic that matches the protection, and an event is generated.
-
Sinkhole - The DNS request is first diverted to the sinkhole server, then the traffic attempting to connect to the server is blocked. A separate event is generated for each phase of the Sinkhole action. For more information, see above DNS Sinkholing.
Default Settings for DNS Protections
The Cato Security team defines the default action for each DNS protection based on the potential to impact legitimate traffic in your organization.
-
Default Block action - Protections that are assigned the Block action by default, generally have few false positives and will not impact legitimate traffic. We recommend that you leave these DNS protections with the default Block action.
-
Default Allow action - Protections that are assigned the Allow action by default may generate false positives and it's possible that they could block legitimate traffic in your organization. We recommend that before you change these protections to the Block action, first run these DNS protections for a few weeks with the Allow action and review the events to monitor the number of false positive matches.
To define the DNS Protections for your account:
-
From the navigation pane, select Security > DNS Protection.
-
Click the slider to enable (green) or disable (gray) the DNS Protection policy for the account.
-
To customize a DNS protection type, click the Action or Track for that row.
The panel opens for that DNS protection type.
-
In the Action section, select to Allow, Block, or SInkhole the DNS traffic that matches the protection.
-
In the Track section, select if you want to send email notifications for DNS traffic that matches the protection.
-
-
Click Apply and then click Save.
You can create an IPS Allowlist rule on the IPS page to define an exception and allow DNS traffic with a specific DNS Protection signature, or you can allowlist a DNS Protection signature from a block event log. For more about creating IPS Allowlist rules, see Allowlisting IPS Signatures.
You can also allowlist specific trusted domain names in the IPS Allow List to exclude them from DNS Protection scans.
To allowlist specific domain names:
-
From the navigation menu, click Security > IPS.
-
Click New. The New Allow List panel opens.
-
Enter the Name for the rule.
-
Select the Scope of the rule as follows:
- For traffic configured to use the default Cato DNS server or a private DNS server, select Wan
- For traffic configured to use a public DNS server, select Outbound
-
Under Destination, select Domain, and add the required domain name.
-
Click Apply. The IPS allowlist rule is added to the rulebase.
-
Click Save.
The Threats Dashboard includes the following three widgets to help you monitor the status of the DNS protections in your account:
-
Threats Type - Shows the name of the type of DNS category and the number of events for each type
-
Top Domains - Shows a list of the top domains that were blocked with the number of DNS protection events for each domain
-
Top Hosts - Shows a list of the top hosts (source IP address) with the number of DNS protection events for each host
The Home > Events page shows all the DNS Protection events for your account. The powerful search tools let you drill-down and identify the key events that contain the relevant data that you need.
DNS Protection events can be identified by the following fields:
-
Event Type - Security
-
Sub-Type - DNS Protection
-
DNS Protection Category - Cato’s DNS Protection type that matched the DNS request
-
DNS Query - Domain queried in the DNS request
You can learn more about using the Events page here. You can use the DNS Protection preset to filter the events.
0 comments
Please sign in to leave a comment.