The Threat Prevention - Network is configured on your DNS Server(s) and forwards DNS queries to the HEIMDAL DNS Resolvers which are responsible for filtering all network packages based on DNS request origin and destination. The engine blocks malicious packages from communicating across the network prevents man-in-the-browser attacks, detects zero-hour exploits, protects from data or financial exfiltration, and prevents data loss or network infections.
1. The DNS queries are not solved or the traffic is not being filtered
2. The HEIMDAL LogAgent does not activate the HEIMDAL license key
3. The HEIMDAL LogAgent does not report the hostnames in the HEIMDAL Dashboard
4. The HEIMDAL LogAgent does not change the DNS Forwarder(s) to 127.8.8.1
The DNS queries are not solved or the traffic is not being filtered
BEHAVIOR: the DNS queries are not solved or the DNS traffic is not being filtered.
SOLUTION: this issue can be troubleshot by checking the flow below.
1. In the HEIMDAL Dashboard, under Network Settings -> Threat Prevention, make sure you have added your Public IP Address to the Access Rules list:
To make sure you are using the correct Public IP Address, go on the DNS Server, open a browser, access google.com and type What is my IP Address? and see the result. You should get something similar to the following:
In this case, the Public IP Address is 126.96.36.199 and this IP Address needs to be added as an Access Rule.
2. On the DNS Server, open Server Manager -> DNS, right-click on the DNS Server, and hit Properties. In the Forwarders tab, make sure you are using the HEIMDAL Security DNS Resolvers (188.8.131.52 and 184.108.40.206):
The HEIMDAL LogAgent does not activate the HEIMDAL license key
BEHAVIOR: the HEIMDAL LogAgent does not activate the HEIMDAL license key through the following errors:
SOLUTION: this is because our IP Addresses/Ports have not been whitelisted or the Internet connection is not working.
The HEIMDAL LogAgent does not report the hostnames in the HEIMDAL Dashboard
BEHAVIOR: the HEIMDAL LogAgent does not report the hostnames in the HEIMDAL Dashboard
SOLUTION: the HEIMDAL LogAgent is able to pick up and report the hostnames of the endpoints that are listed in the Forward Lookup Zone. If the endpoint is not listed there, the endpoint will be listed with a N/A hostname, but with its IP Address.
The HEIMDAL LogAgent does not change the DNS Forwarder(s) to 127.8.8.1
BEHAVIOR: the HEIMDAL DNS Server (127.8.8.1) is not replacing my DNS Forwarder(s).
SOLUTION: this could happen due to several reasons.
1. Make sure the Hybrid DNS option is enabled in the Network Settings section. If it's disabled, enable it and go on the DNS Server, open Command Prompt, and manually sync the Group Policy settings by running the following command in Command Prompt:
"C:\Program Files\Heimdal Security\Heimdal Log Agent\LogAgent\DnsNext.LogAgent.exe" /command=RefreshGroupPolicy
2. If a socket error is seen in the HeimdalLogs (log retention is set to 31 days), just restart the Heimdal LogAgent service.
3. Make sure that HEIMDAL DNS Resolvers are not set as Forwarders (220.127.116.11, 18.104.22.168), as those cannot be used as Forwarders by Hybrid DNS.
If none of the steps above fix the issue, please reach out to the HEIMDAL Security Support Team.