Global Threat Intelligence and split Domain Name System
Last Modified: 2023-09-15 15:11:14 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Global Threat Intelligence and split Domain Name System
Technical Articles ID:
KB53782
Last Modified: 2023-09-15 15:11:14 Etc/GMT Environment
Global Threat Intelligence (GTI) Endpoint Security (ENS) Threat Prevention 10.7.0 June 2021 Update (and earlier), 10.6.1 June 2021 Update (and earlier) Summary
This article describes a feasible mechanism for companies running an internal Domain Name System (DNS) to allow GTI internal queries. Why use DNS?
DNS provides a quick and efficient mechanism to query small amounts of data. For more information, see KB53735 - FAQs for Global Threat Intelligence File Reputation. Testing connectivity
Perform a manual lookup using
ENS uses version All other products continue to send GTI File Reputation queries to Enabling Forwarding Securely
For GTI technology to work, it must perform real-time DNS queries. The reason is so that the internal DNS server can see a DNS server that can resolve the GTI domains. For example, the DNS server in the DMZ that the proxy servers use. GTI solution
By forwarding only the domain name that GTI technology uses, directly to the public resolver, you can securely allow lookups without routing any other domains.
Two sample scenarios:
The DNS chain would look like this:
Internal DNS forwards only
This chain can also appear over an isolated network without a default router between the internal DNS and ISA server. We strongly recommend that you forward the query to your nearest internet DNS resolver and not directly to the GTI query clusters. Individual clusters can be removed from service for maintenance. We maintain the service by rerouting traffic to other clusters. Sample configuration The following example configurations are for Windows DNS service and * Windows DNS Manager
Windows/Linux BIND
Previous Document ID (Secured)
616704
Affected ProductsLanguages:This article is available in the following languages: |
|