Configuring a Malware DNS Trap

The Malware DNS trap works by configuring the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. to return a false (bogus) IP address for known malicious hosts and domains.

You can use the Security Gateways external IP address as the DNS trap address, but:

  • Do not use a Security Gateway's address that leads to the internal network.

  • Do not use the Security Gateway's internal management address.

  • If the Security Gateway's external IP address is also the management address, select a different address for the DNS trap.

You can also add internal DNS servers to better identify the origin of malicious DNS requests.

Using the Malware DNS Trap you can detect compromised clients by checking logs with connection attempts to the false IP address.

At the Security Gateway level, you can configure the DNS Trap according to the profile settings or as a specific IP address for all profiles on the specific Security Gateway.

To set the Malware DNS Trap parameters for the profile

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., select Security Policies > Threat Prevention.

  2. From the Custom Policy Tools section, click Profiles.

    The Profiles page opens.

  3. Right-click the profile, and click Edit.

  4. From the navigation tree, click Malware DNS Trap.

  5. Click Activate DNS Trap.

  6. Enter the IP address for the DNS trap.

  7. Optional: Add Internal DNS Servers to identify the origin of malicious DNS requests.

  8. Click OK and close the Threat Prevention profile window.

  9. Install the Threat Prevention policy.

To set the Malware DNS Trap parameters for a Security Gateway

  1. In SmartConsole, from the left naviation panel, click Gateways & Servers and double-click the Security Gateway object.

    The Security Gateway object opens and shows the General Properties page.

  2. From the navigation tree, select Anti-Bot and Anti-Virus.

  3. In the Malicious DNS Trap section, select one of these options:

    • According to profile settings - Use the Malware DNS Trap IP address configured for each profile.

    • IPv4 - Enter an IP address to be used in all the profiles assigned to this Security Gateway.

  4. Click OK.

  5. Install the policy.