When user tries to access some specific web Sites, admin gets alerts that a DNS query was blocked for a domain
We get error from Policy Manager contaning "309 2020-03-22 21:57:47+01:00 SERVER0X SYSTEM F-Secure Network Filter 126.96.36.199.4.1.2188.8.131.52 Blocked a DNS query for the following unsafe domain: www.test.com
Note: The notifications you get from F-Secure Policy Manager Server regarding the DNS Filter, are not errors. These are alerts/notifications send from Clients.F-Secure Policy Manager does not generate errors on behalf of clients. Clients generate errors locally, and they only send alerts to Policy Manager.
If the alert forwarding is enabled via Policy Manager, each time a query is blocked, admin will be notified according to that.
This is an expected behavior, and to understand it better, please read the explanation bellow:
DNS queries are based on ORSP rating, so ORSP needs to be activated from Policy Manager Console for all Clients.
How to enable Security Cloud using F-Secure Policy Manager Console:
Log in to F-Secure Policy Manager Console and navigate to Advanced view
Expand the F-Secure Security Cloud Client Settings and make sure the "allow deeper analyses" and "Client is enabled" is set to "yes" and distribute the policy.
ORSP stands for Object Reputation Service Protocol. When a new object, such as a file or URL, is encountered on one client, the product communicates with the Security Cloud using the strongly encrypted Object Reputation Service Protocol (ORSP) to query for the object's reputation details. Anonymous metadata about the object, such as file size and anonymized path, are sent to the Security Cloud. You may find more information about the Security Cloud here: https://www.f-secure.com/en/web/legal_global/privacy/security-cloud
Botnet blocker works on the level of DNS resolution and IP address filtering.
When DNS filtering is enabled, we don't allow to resolve DNS addresses if we know these DNS addresses are not safe.
When IP reputation filtering is enabled, we block connections to IP addresses for which we have reputation in ORSP.
When you allow all queries, it means you have disabled DNS filter, by doing this you are disabling DNS scanning on NIF (Network interception Framework) level.
If you set to example „Allow safe queries only „it might still block local DNS.
DNS record information is usually cached (stored on your local browser, computer or network forwarder) for a specific amount of time; anywhere from 5 minutes to 8 hours is normal.
block unsafe => unknown, susp, safe will go thru.
unsafe (malicious) are blocked Block unsafe, susp => unknown and safe go thru.
unsafe (malicious) and suspicious are blocked allow safe only => only safe rated go thru. unknown, suspicious, unsafe (malicious) are blocked
Blocking botnet communication
Botnet Blocker is a security feature that aims to prevent botnet agents from communicating with their command and control servers.
The feature uses DNS reputation data to verify the security of queries when translating DNS requests to IP addresses.
To configure Botnet Blocker in Standard view:
On the Settings > Web traffic scanning page, go to Botnet blocker
Set the filtering to use for DNS queries.
By default, this set to Block unsafe queries.
Set the alert level to use for notifications of blocked DNS queries.
Distribute the policy:
You can choose what works for you best, you have different option in Policy Manager Console:
If some internal or External URL is blocked from Network filter, like this example: "F-Secure Network Filter 184.108.40.206.4.1.2220.127.116.11 Blocked a DNS query for the following unsafe domain: ... "
The domain was detected as "malicious" by our ORSP and therefore it is blocked.
You can solve this by submitting the ULR sample here https://www.f-secure.com/en/business/support-and-downloads/submit-a-sample and wait until the you get answer, which tells you if the page/URL is marked as clean.
You can add the URL as trusted site in your Policy Manager Console:
For F-Secure Client Security 13.x:
For F-Secure Client Security 14.x:
Log in to F-Secure Policy Manager Console
Select the host or domain from the Domain Tree
Go to the Settings tab and select Standard view
Go to the Web content control page
Click Add on the right side of the Trusted sites list
Enter the server address in the Address column
Distribute the policy (Ctrl+D)
With Client Security 14.x clients no wildcard is needed in the address, for example:
Web traffic scanning is blocking an internal server, URL or applications
Article no: 000010712