Issue:
-
When user tries to access some specific web Sites, admin gets alerts in Policy Manager Console that a DNS query was blocked for a domain
-
We get error from Policy Manager containing "309 2020-03-22 21:57:47+01:00 SERVER0X SYSTEM F-Secure Network Filter 1.3.6.1.4.1.2213.11.1.12 Blocked a DNS query for the following unsafe domain: www.test.com
Resolution:
Note: The notifications you get from F-Secure Policy Manager Server regarding the DNS Filter, are not errors. These are alerts/notifications send from Clients.F-Secure Policy Manager does not generate errors on behalf of clients. Clients generate errors locally, and they only send alerts to Policy Manager.
If the alert forwarding is enabled via Policy Manager, each time a query is blocked, admin will be notified according to that.
This is an expected behavior, and to understand it better, please read the explanation bellow:
DNS queries are based on ORSP rating, so ORSP needs to be activated from Policy Manager Console for all Clients.
How to enable Security Cloud using F-Secure Policy Manager Console:
-
Log in to WithSecure Policy Manager Console and navigate to Advanced view
-
Expand the F-Secure Security Cloud Client Settings and make sure the "allow deeper analyses" and "Client is enabled" is set to "yes" and distribute the policy.
ORSP stands for Object Reputation Service Protocol. When a new object, such as a file or URL, is encountered on one client, the product communicates with the Security Cloud using the strongly encrypted Object Reputation Service Protocol (ORSP) to query for the object's reputation details. Anonymous metadata about the object, such as file size and anonymized path, are sent to the Security Cloud. You may find more information about the Security Cloud here: https://www.f-secure.com/en/web/legal_global/privacy/security-cloud
Botnet blocker works on the level of DNS resolution and IP address filtering.
When DNS filtering is enabled, we don't allow to resolve DNS addresses if we know these DNS addresses are not safe.
When IP reputation filtering is enabled, we block connections to IP addresses for which we have reputation in ORSP.
When you allow all queries, it means you have disabled DNS filter, by doing this you are disabling DNS scanning on NIF (Network interception Framework) level.
If you set to example „Allow safe queries only „it might still block local DNS.
DNS record information is usually cached (stored on your local browser, computer or network forwarder) for a specific amount of time; anywhere from 5 minutes to 8 hours is normal.
-
block unsafe => unknown, susp, safe will go thru.
-
unsafe (malicious) are blocked Block unsafe, susp => unknown and safe go thru.
-
unsafe (malicious) and suspicious are blocked allow safe only => only safe rated go thru. unknown, suspicious, unsafe (malicious) are blocked
Blocking botnet communication
Botnet Blocker is a security feature that aims to prevent botnet agents from communicating with their command and control servers.
The feature uses DNS reputation data to verify the security of queries when translating DNS requests to IP addresses.
To configure Botnet Blocker in Standard view:
-
On the Settings > Web traffic scanning page, go to Botnet blocker
-
Set the filtering to use for DNS queries.
By default, this set to Block unsafe queries.
-
Set the alert level to use for notifications of blocked DNS queries.
-
Distribute the policy:
You can choose what works for you best, you have different option in Policy Manager Console: