1 2 Previous Next 10 Replies Latest reply on Nov 9, 2016 5:21 AM by jcrespo

    dns resolver

    jcrespo

      Hi,

       

      I saw today how IPS McAfee claim to be infected for an IPS(other product) ( for domain match). How is the mechanism for resolver something? The IPS can resolve something and this query fall in a IPS's signature?

       

       

      Thanks.

        • 1. Re: dns resolver
          catdaddy

          jcrespo,

                             Could you elaborate more please? Are you referring to this? Remove "Ads by DNS Unlocker" virus (Uninstall Guide)

           

          Cliff

          Moderator

          Consumer Products

          • 2. Re: dns resolver
            catdaddy

            Moved from  Community Support to Home User Assistance >Discussions

            • 3. Re: dns resolver
              jcrespo

              Hi,

               

              is just that, IPS McAfee, appear like infected for other IPS, because send a query with a domain infected.(accord black lists)

              I wanted to take advantage of knowing the dns resolution mechanism. the ips make their own inquiries by internal resolutions? ( or resend queries from internal communications?)

               

              cheers.

              • 4. Re: dns resolver
                catdaddy

                I,m Sorry...? Are you saying that your Personal ( Site ) Rating is considered 'Unsafe'? Or are you saying that you have a infection that needs removing?

                • 5. Re: dns resolver
                  jcrespo

                  the ips is "guilty" with the infection for send a query (dns) with a domain matching an a black list.

                  the question is ... the ips do any internal resolution? example: (créate an acl o rule, which need a resolution)

                  thanks.

                  • 6. Re: dns resolver
                    catdaddy

                    Then it seems that either you,or your ISP provider needs to submit a re-evaluation to Trusted Source: How To Dispute WebAdvisor/SiteAdvisor's rating of a website

                     

                    If I construed your reply correctly?

                    • 7. Re: dns resolver
                      jcrespo

                      nop, the dns is internal for this reason the matches maybe come from the IPS or from the host. that is the question.... who can create the query ( or if sometimes the IPS(own) can create any query that catch the other IPS)

                       

                       

                       

                       

                                              -------|                                                                                                      |---------------

                      host -------->   dns   | ---------------> IPS(mcafe) ------------IPS(catch signature)    ---->  | DNS external

                      query                                                                                   (evil.com is bad guy)         |

                      (evil.com)        -------|                                                                                                      |-------------- 

                      • 8. Re: dns resolver
                        Hayton

                        jcrespo,  all this talk about ISP and domain resolution, I think this properly belongs in the Business section.

                         

                        The thread has been moved from Malware Discussion to Business --> Network Security --> Network Security Platform (NSP, NIPS, NAC, NTBA)  for attention.

                         

                        To Business Moderators : please move again if necessary to the correct Business sub-section.

                        1 of 1 people found this helpful
                        • 9. Re: dns resolver
                          d_aloy

                          Hi

                           

                          TJCrespo

                           

                          The IPS sensor will only do reputation lookups to the sites listed on this article: McAfee KnowledgeBase - Ports and traffic destinations used by Network Security Platform

                           

                          However, looking at your diagram, you are referring to the monitored traffic. The sensor lookup would be via the sensor's management port, which would not be inline with your other IPS based on your drawing. Also  the  McAfee IPS sensor is completely transparent  on the network, so the DNS lookup from the internal source would  go through it to your  other IPS, which should alert on malicous DNS lookup with source IP your  internal host.

                           

                          Hope this helps... if this doesn't then please provide more details - i.e. IP Addresses of your hosts, alerts, dns  domain that triggered the alert, etc.

                           

                          Regards

                          David

                          1 2 Previous Next