Loading...

Knowledge Center


Advanced Threat Defense incorrectly sends the DNS query for a URL sample to the Preferred/Alternate DNS Server via the Malware Internet Port
Technical Articles ID:   KB89334
Last Modified:  5/15/2017

Environment

McAfee Advanced Threat Defense (ATD) 3.x

Problem

You configure a Malware DNS Server, separate from the Preferred/Alternate DNS Server, and set up one of interface ports 1, 2, or 3 as the Malware Internet Port.

You then submit a URL sample to ATD and expect that ATD will send the DNS query to the separate Malware DNS Server via the configured Malware Internet Port.

However, when you submit the sample, you see ATD sends the DNS query to the Preferred/Alternate DNS Server instead of the Malware DNS Server, and it makes the request via the MGMT port instead of the configured Malware Internet Port.

Solution

This is a expected behavior.

When you submit a URL sample, ATD validates whether the URL string is valid before sandbox scanning. Then, the ATD backend attempts to download the URL for later reuse.
After these operations are performed, ATD passes the URL string to the sandbox VM for sandbox scanning and then the browser in the sandbox VM will open the URL.

The communication in each phase is performed using the following interface and DNS server:
  • Validation and caching phase:
    This is done via the MGMT port, regardless of the Malware Internet Port setting. ATD uses the Preferred/Alternate DNS server for resolving the host name in the URL.
     
  • Sandbox phase:
    This is done via the Malware Internet Port, which is assigned to one of the mgmt/1/2/3 ports. ATD uses Malware DNS Server for resolving the host name in the URL.
You have therefore seen the DNS lookup to Preferred/Alternate DNS Server and web access from the MGMT port performed in the validation and caching phase.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.