We are doing test in order to block the domains using EDL but its not working. We are doing test with this domain: unrealengine.com
This is the config:
The domain is added to the EDL domain list:
The antispyware profile is created with the list:
The security rule is also created:
But we can still access to the web:
With Anti-Spyware profile and DNS signature, firewall will try to block the access to the domain from the EDL by intercepting the DNS request from the user DNS server.
1. When you try to reach suspicious domain first his PC will create DNS request to find out the IP to which to connect
2. After it go the IP address it will try to establish TCP connection
3. Over that TCP connection it will send HTTP request (either encrypted or not).
Potentialy you can block the traffic on any of those three steps. Of course it is always to block it as earlier step as possible.
With your approach firewall should intercept the DNS request and forge a reply with dummy IP address (the sinkhole ip), trying to steer the user away from the forbitten address.
For this approach to work your Anti-Spyware profile must be applied on a rule that is processing the DNS traffic between the user and DNS server. It should also work if it is between your internal DNS and the public one.
- Does your DNS traffic (between user and DNS server) is passing through the firewalls?
- Are you applying Anti-Spyware profile on this rule?
- If above is true, try to clear the DNS cach on the machine from which you are testing
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!