How to Configure Reputation Filter- DNS Threat Filter

Zyxel_Emily

DNS Threat Filter is a mechanism aimed at protecting users by intercepting DNS request attempting to connect to known malicious or unwanted domains and returning a false, or rather controlled IP address. The controlled IP address points to a sinkhole server defined by the administrator.

When a client wants to access a malicious domain, the query is sent to the DNS server for getting the domain name details. All of the traffic now here gateway intercepts this query which is outgoing. The cloud server identifies that this is bad site. What gateway can do here is send the redirect IP address where we deploy a blocked page to the client. The client will connect to redirect IP address instead of the real IP address of malicious domain, and get the blocked page with the web access. This example shows how to configure DNS Threat Filter to redirect web access after client hit the filter profile.

Set Up the DNS Threat Filter
Go to Security Service > Reputation Filter > DNS Threat Filter. Turn on this feature. Select Redirect on Action field. When a client hits DNS Threat Filter, the page will be redirected to the default blocked page or a custom IP address. Choose Log-alert on Log field. Configure Default on Redirect IP field to allow gateway redirect to the default blocked page.

Test the Result
Verify a domain name in the Security Threat Categories. In Test Domain Name Category, enter a malicious domain and query the result.

Using Web Browser to access the malicious site. The gateway will redirect you to a blocked page.

Go to Log & Report > Log/Events and select DNS Threat Filter to check the logs.

Go to Security Statistics > Reputation Filter > DNS Threat Filter to check summary of all events.