Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2278
Views
0
Helpful
3
Replies

DNS PROXY NEEDED

ht886xcco
Level 1
Level 1

ā€Ž06-29-2010 11:50 PM

I run a WSA 360 setup for a large customer.

He needs a DNS Proxy service like the one  that is available in the other large player in this market.

Can i do something simmilar whit ironport WSA's ??

Or is it in the Development track to implement such a DNS Proxy in Ironport WSA. ??

the need is to resolve dnsnames to local addresses for redirecting purposes.

http://www.bluecoat.co.jp/downloads/manuals/SGOS_Vol2_ProxiesPortServices_5.2.2.pdf

Chapter 5: Managing the DNS Proxy

When a DNS proxy service is enabled, it listens on port 53 for both explicit and

transparent DNS domain query requests. By default, the service is created but not

enabled.

The DNS does a lookup of the DNS cache to determine if requests can be answered. If

yes, the SG appliance responds. If not, the DNS forwards the request to the DNS server

list configured on the SG appliance. (To configure the DNS server list, see

Configuration

> Network > DNS

.)

Through policy, you can configure the list of resolved domain names (the

resolving name

list

) the DNS uses. The domain name in each query received by the SG appliance is

compared against the resolving name list.

Upon a match, the appliance checks the

resolving list. If a domain name match is found but no IP address was configured for

the domain, the appliance sends a DNS query response containing its own IP address.

If a domain name match is found with a corresponding IP address, that IP address is

returned in a DNS query response.

All unmatched queries are sent to the name servers

configured on the SG appliance.

Labels:
0 Helpful
3 Replies 3

john.phillips
Level 1
Level 1

ā€Ž06-30-2010 01:02 AM

Not sure if I completely understand what the bluecoat appliance is doing, however if your goal is to "resolve dnsnames to local addresses for redirecting purposes."

Can you just use the Alternate DNS servers Overrides (Optional): section of the Networking - DNS to acheive this.

put an entry in the override for abc.com and point it at your internal dns servers where you have a zone file for abc.com which has a internal a record for www. (for example)

then when a user goes through the ironport for www.abc.com the WSA will see there is a DNS override and rather than quering the internet root servers it will query your internal servers which will return an internal address and route the user to your internal site.

If you just want to override a single host rather than the whole domain,

For example you want to redirect all www.google.com to an internal but keep mail.google.com being resolved out.. in the domain section you can put the host name as well, (this way the internal server will only be queried if the user types www.  and the external queried if they use mail.)

0 Helpful

ht886xcco
Level 1
Level 1
In response to john.phillips

ā€Ž06-30-2010 03:18 AM

Its Not just to point to another dns for certain domains. That would require zone records for the entire domain. I only need to redirect some fqdn urls to other adresses

The BC DNSproxy listens on udp 53 like a real dns.

And if at has a host record for www.att.com whit address 1.2.3.4 it will return this instead of our real public address. We ten route 1.2.3.4 to a pix or asa that makes a reverse nat to the real address or a vpn tunnel.

So we can have exeptions for the "general security rule, no routing to internet registred adresses" at this customer.

Querys can be send from internal devices that do not pass the proxy.

The need comes from a migration from a eol/eos SGS5660 setup.

The SGS DNSd deamon could do the same thing as the BC dns proxy

0 Helpful

parleysmith
Level 1
Level 1
In response to ht886xcco

ā€Ž09-27-2010 11:51 AM

The WSA is not a DNS server and it doesn't proxy requests via port 53.

I wonder though, if you are only dealing with a few fqdn's, if you could define them in a custom category named "category_redirect", for example. You could then create an access policy and define membership with an advanced option of "URL Categories: category_redirect". You would then set the Custom URL Filtering for the new access policy to Redirect and specify the desired URL; in this case, I believe you could use an ip address for the URL, though I don't know if you would be limited to http traffic.

In any case, you would still have to deal separately with any traffic that you are trying to redirect that is not normally proxied.

0 Helpful
Customers Also Viewed These Support Documents