1 2 Previous Next 10 Replies Latest reply on Nov 9, 2016 5:21 AM by jcrespo

    dns resolver




      I saw today how IPS McAfee claim to be infected for an IPS(other product) ( for domain match). How is the mechanism for resolver something? The IPS can resolve something and this query fall in a IPS's signature?




        • 1. Re: dns resolver


                             Could you elaborate more please? Are you referring to this? Remove "Ads by DNS Unlocker" virus (Uninstall Guide)




          Consumer Products

          • 2. Re: dns resolver

            Moved from  Community Support to Home User Assistance >Discussions

            • 3. Re: dns resolver



              is just that, IPS McAfee, appear like infected for other IPS, because send a query with a domain infected.(accord black lists)

              I wanted to take advantage of knowing the dns resolution mechanism. the ips make their own inquiries by internal resolutions? ( or resend queries from internal communications?)



              • 4. Re: dns resolver

                I,m Sorry...? Are you saying that your Personal ( Site ) Rating is considered 'Unsafe'? Or are you saying that you have a infection that needs removing?

                • 5. Re: dns resolver

                  the ips is "guilty" with the infection for send a query (dns) with a domain matching an a black list.

                  the question is ... the ips do any internal resolution? example: (créate an acl o rule, which need a resolution)


                  • 6. Re: dns resolver

                    Then it seems that either you,or your ISP provider needs to submit a re-evaluation to Trusted Source: How To Dispute WebAdvisor/SiteAdvisor's rating of a website


                    If I construed your reply correctly?

                    • 7. Re: dns resolver

                      nop, the dns is internal for this reason the matches maybe come from the IPS or from the host. that is the question.... who can create the query ( or if sometimes the IPS(own) can create any query that catch the other IPS)





                                              -------|                                                                                                      |---------------

                      host -------->   dns   | ---------------> IPS(mcafe) ------------IPS(catch signature)    ---->  | DNS external

                      query                                                                                   (evil.com is bad guy)         |

                      (evil.com)        -------|                                                                                                      |-------------- 

                      • 8. Re: dns resolver

                        jcrespo,  all this talk about ISP and domain resolution, I think this properly belongs in the Business section.


                        The thread has been moved from Malware Discussion to Business --> Network Security --> Network Security Platform (NSP, NIPS, NAC, NTBA)  for attention.


                        To Business Moderators : please move again if necessary to the correct Business sub-section.

                        1 of 1 people found this helpful
                        • 9. Re: dns resolver





                          The IPS sensor will only do reputation lookups to the sites listed on this article: McAfee KnowledgeBase - Ports and traffic destinations used by Network Security Platform


                          However, looking at your diagram, you are referring to the monitored traffic. The sensor lookup would be via the sensor's management port, which would not be inline with your other IPS based on your drawing. Also  the  McAfee IPS sensor is completely transparent  on the network, so the DNS lookup from the internal source would  go through it to your  other IPS, which should alert on malicous DNS lookup with source IP your  internal host.


                          Hope this helps... if this doesn't then please provide more details - i.e. IP Addresses of your hosts, alerts, dns  domain that triggered the alert, etc.




                          1 2 Previous Next