Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Create a DNS Security and ETI Profile

Create a DNS security profile to configure feeds and a threat score to list the domains that are known to be connected to malicious activity.

To create a DNS Security and ETI Profile:

  1. Select Configure > Firewall Policy > DNS Security & ETI Profile.

    The DNS Security & ETI Profile page is displayed.

  2. Click the + icon.

    The Configure DNS Security & ETI Profile page is displayed.

  3. Configure the values according to the guidelines provided in Table 1.
  4. Click OK.

    You can view the created profile on the DNS Security & ETI Profile page.

Table 1: Create DNS Security and ETI Profile

Fields

Description

Name

Enter a name for the DNS profile. The name must be a unique string of alphanumeric and special characters; 63-character maximum. Special characters such as < and > are not allowed.

DGA Detection

Enable DNS Domain Generation Algorithm (DGA) to generate random domain names that are used as rendezvous points with potential C&C servers.

Action

Select an action that Security Director must perform when malicious traffic is detected.

  • Deny—Drops the tunnel session.

  • Sinkhole—Drops the tunnel sessions and sinkholes the domain.

  • Permit—Permits the tunnel session.

Logs

Select the logging action that Security Director must perform when malicious traffic is detected.

  • Log Everything—Generates log for each DNS request and DNS detections.

  • Log Detections—Generates log only for malicious DNS detections.

Verdict-timeout

Select a time in milliseconds to wait for a verdict on DNS packet. The range is 50 to 500 milliseconds. The default timeout value is 100 milliseconds.

Fallback-options-log

Enable the fallback option for DNS DGA detection. The fallback options are triggered if DGA verdict is not received within the verdict-timeout configured value. The available option is to log the DNS request.

Tunnel Detection

Enable this option to detect DNS tunneling. DNS tunneling is a cyber-attack method that encodes the data of other programs or protocols in DNS queries and responses. It indicates that DNS traffic is likely to be subverted to transmit data of another protocol or malware beaconing.

Action

Specify the action that SRX Series devices must take when a DNS tunneling is detected. The available options are:

  • Deny—Drops the tunnel session

  • Permit—Permits the tunnel session

Logs

Specify the action taken for DNS tunneling detection. The available options are:

  • Log Everything—Generates log per DNS request and DNS detections.

    • Log Detections—Generates log only for malicious DNS detections.

Inspection-depth

Select the number of packets to be inspected for tunnel detection. The range is 0 through 10. Default is 4 packets.

Fallback-options-Log

Enable the fallback option for DNS tunneling detection. The fallback option is triggered if a tunnel is not detected within the specified number of packets (inspections-depth). The available option is to log the DNS request.

Encrypted Traffic Insight (ETI)

Enable this option to detect malicious threats hidden in an encrypted traffic without intercepting and decrypting the traffic.

Action

The default option is permit (permits tunnel session).

Logs

Select an action for ETI detection:

  • Log Everything—Generates log for each DNS request and DNS detections.

  • Log Detections—Generates log only for malicious DNS detections.

Fallback-options-Log

Enable the fallback option for ETI detection. The fallback option is triggered if an ETI is not detected within the specified number of packets. The available option is to log the DNS request.

Cache TTL

Enable the option to store DNS in cache till time-to-live (TTL).

Benign

Select a benign TTL value. The range is 60 through 172800 seconds. The default value is 86400 seconds.

C2

Select a C2 TTL value. The range is 60 through 172800 seconds. The default value is 86400 seconds.