Trusted Domain List

A trusted domain list, or whitelist, is preconfigured on Plixer FlowPro to suppress alarms involving specific domains. The default whitelist contains five entries that can added or removed depending on the customer environment.

• mcafee.com

• sophos.com

• sophosxl.net

• webcfs03.com

• apple.com

• aaplimg.com

mcafee.com suppresses DNS Data Leak alarms from McAfee AntiVirus software. McAfee encodes information from the anti-virus clients on the network into very long and complex DNS names and stores this information on their DNS server. This is exactly the type of behavior that the DNS Data Leak algorithm is looking for as this technique is also used by some forms of malware.

sophos.com and sophosxl.net are related to Sophos Anti-virus software, and use multiple techniques to get information in and out of a network using DNS. In addition to using the same technique as McAfee to send information back to their servers, they also use DNS TXT messages to send information back to the clients on the network. Use of DNS TXT messages to exchange information with an external host is also used by some malware families, and the DNS Command and Control algorithm will alarm on this type of activity. This will prevent Sophos from generating either DNS Data Leak or DNS Command and Control alarms.

webcfs03.com belongs to SonicWALL and will also generate DNS Data Leak alarms.

apple.com uses DNS TXT messages to exchange settings with their NTP server. This will trigger a DNS Command and Control alarm.

There may be other authorized software on internal networks that use DNS to bypass the firewall for data communications. If so, add those domains to the trusted domain list. Once configured, any other traffic communicating via DNS should be investigated.

Use the edit domainlist command to modify the trusted domain list.