SecureDNS
Q: Why do I see multiple private IP-Addresses in the same field during a detection?
A: A time interval between -5 and +5 minutes is considered, when multiple hosts query the same domain, the same (common) private IP-Addresses will be visible at each timestamp. This hardly ever happens in reality.
Q: What if there are problems in one of the datacenters?
A: For our European customers, we work with a redundancy of 3 public DNS servers hosted by different providers and located in different datacentres. When the primary DNS server fails, a fall-back server takes over. We also use load balancing.
Q: What if I have multiple DNS servers running?
A: On each DNS server, the DNS forwarders need to be changed. We recommend installing the Filebeat software on each Domain Controller where a DNS server is active.
Q: Why can’t I see private IP-Addresses (anymore) on the dashboard with blocked detections?
A: This is because we no longer receive local DNS logs, this is due to one of the following reasons:
You are not running the Filebeat service (anymore).
The local DNS logging is not activated.
Incorrect parameters in the Filebeat.yml config file.
The networking requirements are not met:
Q: How do I create an additional account?
A: You need the "Organization Manager" role on the portal in order to create users yourself. You can acquire this role by contacting us at support@secutec.com or support@secure-dns.eu or submitting a ticket on this portal. You can also open a ticket with us to create an extra portal account for a user.
Q: Where are the Secutec SecureDNS datacenters located?
A: The datacenters are located in the following locations:
The European servers are hosted in France, Germany, Italy, Belgium.
The Asian servers are hosted in Singapore and Hong Kong.
The American servers are hosted in Virginia and California.
The Middle-Eastern servers are hosted in Bahrain.
Q: Is there a limit on the number of users & sites?
A: No, there is no limit to the number of users and sites. If you want to add extra users and sites, you can always request this via your account manager. Note that this affects the price.
Q: How can I know if a domain is blocked by Secutec SecureDNS without going to the portal?
A: By performing an nslookup to the malicious domain. You should get back a CNAME to one of our DNS sinkholes together with a 152.228.249.x IP-Address in case of a blocked FQDN/domain.
Q: What will be shown in my browser when a domain is blocked by Secutec SecureDNS?
A: Normally you only get to see a time-out message in your browser, a blank page. Would you like to personalize this page? It’s possible! Please refer to Displaying a Blocking Page using a local Webserver or Displaying a Blocking Page using your Firewall (FortiGate)
Q: What should I do if a domain needs to be whitelisted?
A: For whitelisting, unblocking of domains in Secutec SecureDNS please send an email to whitelisting@secure-dns.eu (The domains will be whitelisted after verification by our technical people). Or submit a ticket via this portal. You can also click the "Request Whitelisting" button on the Secutec Portal in the Blocked dashboard table which will fill the domain in the subject of the ticket form you can submit on this portal.
Q: Who can I contact for general or technical questions about Secutec SecureDNS?
A: Please contact our support team via: support@secure-dns.eu
Q: What should I do in case of a detection?
A: You will find the document that covers this procedure here: SecureDNS Customer Detection Guidelines
VirusTotal
Q: What kind of information can I consult via VirusTotal?
A: In VirusTotal, in the "relations" tab, you can find all relations to malicious files and/or related domains and subdomains.
Q: The domain blocked by Secutec SecureDNS doesn’t report anything malicious on VirusTotal. Why is this domain still blocked by Secutec SecureDNS?
A: VirusTotal is an extra added value that you can consult. Blocking is done on the basis of the lists we receive from our security vendors. For New Domains, in most cases not much is visible on VirusTotal because this local information is still too new.
SecureDNSAgent
Q: How can I see if a detection arise from a Secutec SecureDNS agent?
A: At the site you see SecureDNS agent instead of the configured sites. If there is no internal IP but a hostname instead the detection is done by the SecureDNS agent.
Q: Is there any caching on the SecureDNS servers?
A: Yes, but only for the blocked domains. Duration: 60 seconds.