AntiVirus: Client/Server Anti-Virus: Artemis Technology and split DNS
03/26/2020
9
12846
DESCRIPTION:
AntiVirus: Client/Server Anti-Virus: Artemis Technology and split DNS
A notice has been issued for SonicWall Enforced Client's (McAfee and Kaspersky). Please see Notice: End of Support for SonicWall Enforced Client for more information.
RESOLUTION:
Why use DNS?
DNS provides a quick and efficient mechanism to query small amounts of data. For more information on this process, see KB53735 - How much will McAfee Artemis Technology improve malware detection
Testing connectivity
Perform a manual lookup using nslookup to verify that your computer can see the McAfee Artemis Technology server.
Click Start, Run, type cmd and press ENTER.
Type nslookup 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com and press ENTER.
You see a response similar to the following:
Server: <mylocaldnsserver.org>
Address: 10.10.135.201
Name: 4z9p5tjmcbnblehp4557z1d136.avqs.mblmcafee.com
Address: 127.0.4.8
If the nslookup fails or has a timeout error, see KB53734 - How to verify that my Endpoints can see the McAfee Artemis Technology server
Customer Scenario
A company could use DNS internally that is logically separate from the DNS infrastructure on the internet and that internal internet access is provided via proxies such as Microsoft ISA. This DNS infrastructure is commonly called 'split DNS' and less commonly 'split horizon'. Both refer to the configuration where internal users of an organization access a separate DNS infrastructure. For an example see http://technet.microsoft.com/library/cc302590.aspx .
This scenario contains a workaround that securely provides access to Artemis queries without implementing fully routable DNS traffic internally to every host.
Enabling Forwarding, Securely
For McAfee Artemis Technology to work, it must be able to perform real time DNS queries. To make this happen, the internal DNS server must be able to see a DNS server that can resolve the Artemis domains. For instance the DNS server in the DMZ that the proxy servers use.
Solution
By forwarding only the domain name McAfee Artemis Technology uses, directly to the public resolver, you can securely allow lookups without routing any other domains. Two sample scenarios:

To configure this example securely, the administrator must ensure that the internal DNS server only forwards requests, for the domains Artemis Technology uses, to the public resolver (= the DNS server that can resolve queries on the Internet). Also see examples of common DNS server forwarding configuration in the next section.
The DNS chain would look like this:
Internal DNS forwards only mblmcafee.com => DNS in DMZ or on proxy server => forwards requests to ISPs DNS server
This could also happen over an isolated network without a default router between the Internal DNS and the ISA server. McAfee strongly recommends that you forward queries to your nearest Internet DNS resolver and not directly to the Artemis query clusters. This is because the individual clusters may be removed from service for maintenance and we maintain the service by-re-routing traffic to other clusters.
Sample configuration
The following example configurations are for Windows DNS service and *nix/Linux BIND 9
Windows DNS Manager
- Launch the Windows DNS manager.
- Right-click the appropriate server and select Properties.
- Select the Forwarders tab, click New.
- Add a new DNS zone to forward requests for.
- Under Selected domain's forwarder IP address list, type the IP of the server that can resolve the zone and click Add.
- Repeat this for all applicable servers.
- Click OK when finished.
Windows / Linux BIND
- If BIND is in use on *nix / Linux, insert the following in the named.conf using the appropriate IP addresses:
// --- Zone forwarding for McAfee Artemis features NB: The servers below are open resolvers.
zone "avqs.mcafee.com" IN {
type forward;
forward first;
forwarders { 10.10.128.135; 10.10.128.136;};
};
// ---
Reload the config following the instructions in the relevant product guide.
Forwarding Artemis through a Sidewinder
A Sidewinder configured with split DNS may need a similar configuration change. Normally, the internal DNS server is set up to forward all requests to the external DNS server, however many organizations will only forward specific requests. This example shows sites with this particular DNS stance how to modify the Sidewinder configuration to pass Artemis requests.
The following example assumes a split DNS environment with the external, or internet zone, set as zone 1 (this is the default zone configuration). If the external zone is configured differently in your environment, replace the 127.1.0.1 with the zone-specific loopback address for your system.
- Edit the file /etc/named.conf.u and insert the following:
// --- Zone forwarding for McAfee Artemis features
zone "avqs.mcafee.com" IN {
type forward;
forward first;
forwarders { 127.1.0.1; 127.1.0.1; };
};
// ---
- Run the following command to ensure you entered the changes correctly.
/usr/sbin/named-checkconf /etc/named.conf.u
- Restart named:
cf daemond restart agent=named-unbound