This article describes a feasible mechanism for companies running an internal Domain Name System (DNS) to allow GTI internal queries.
Testing connectivity
Perform a manual lookup using
nslookup to verify that your computer can connect to the GTI server:
- Press Windows+R, type cmd, and click OK.
- Type nslookup 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com and press Enter.
You see a response similar to the following:
Server: <mylocaldnsserver.org>
Address: 10.10.135.201
Name: 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com
Address: 127.0.4.8
If the nslookup fails or has a time-out error, see KB53733 - Verify that GTI File Reputation is installed and endpoints can communicate with the GTI server.
ENS uses version 14.4.0.354.17 or later of VSCore and sends the GTI File Reputation queries to an alternate domain: avts.mcafee.com
All other products continue to send GTI File Reputation queries to avqs.mcafee.com.
What does it mean for you?
You can use DNS internally and logically separate from the DNS infrastructure on the internet and provide internal internet access using proxies such as Microsoft ISA. This DNS infrastructure is commonly called split DNS and less commonly known as split horizon. Both terms represent the configuration where internal users of an organization access a separate DNS infrastructure. For example, see this Microsoft article on configuring DNS servers for ISA.
This scenario contains a workaround that securely provides access to GTI queries. The scenario provides access without implementing fully routable DNS traffic internally to every host.
Enabling Forwarding Securely
For GTI technology to work, it must perform real-time DNS queries. The reason is so that the internal DNS server can see a DNS server that can resolve the GTI domains. For example, the DNS server in the DMZ that the proxy servers use.
GTI solution
By forwarding only the domain name that GTI technology uses, directly to the public resolver, you can securely allow lookups without routing any other domains.
Two sample scenarios:
To configure this example securely, the administrator must make sure that the internal DNS server only forwards requests, for the domains GTI technology uses, to the public resolver. (The public resolver is the DNS server that can resolve queries on the internet.) Also, see examples of common DNS server forwarding configurations in the next section.
The DNS chain would look like this:
Internal DNS forwards only avqs.mcafee.com => DNS in DMZ or on proxy server => forwards requests to ISPs DNS server
This chain can also appear over an isolated network without a default router between the internal DNS and ISA server. We strongly recommend that you forward the query to your nearest internet DNS resolver and not directly to the GTI query clusters. Individual clusters can be removed from service for maintenance. We maintain the service by rerouting traffic to other clusters.
Sample configuration
The following example configurations are for
Windows DNS service and *
nix/Linux BIND 9.
Windows DNS Manager
- Start the Windows DNS manager.
- Right-click the appropriate server and select Properties.
- Click the Forwarders tab, and click New.
- Add a DNS zone. It forwards the requests.
- Under Selected domain's forwarder IP address list, type the IP address of the server that can resolve the zone and click Add.
- Repeat these steps for all applicable servers.
- Click OK when finished.
Windows/Linux BIND
- If BIND is in use on *nix / Linux, insert the following in the named.conf using the appropriate IP addresses:
// --- Zone forwarding for Global Threat Intelligence features NB: The servers below are open resolvers.
zone "avqs.mcafee.com" IN {
type forward;
forward first;
forwarders { 10.10.128.135; 10.10.128.136;};
};
// ---
- Reload the configuration. Follow the instructions in the relevant product guide.
