07-28-2021 03:45 PM
I was curious to know if anyone was pointing their domain controllers to the firewall for DNS security/proxy? Mine currently use the ISP, but the clients use the firewalls as a proxy and then just rule just forward internal domains to the DC. Seems like I should be doing the same on the domain controllers themselves?
07-28-2021 08:14 PM
I just double checked our config. Where we are using DNS Proxy, we have our trust interface setup for DNS proxy and the FW points to our domain controllers for DNS. We have the interface for our Guest Zone with a proxy that goes directly to Google. Our DHCP scopes are setup to push use the FW's for DNS resolution.
The DC's are setup to point themselves for DNS as is best practice. The forwarders are setup to go to Google or Root Hints if not available.
Since we are using our internal DNS servers as the DNS servers for the FW proxy we couldn't point the forwarders to the FW as it would be a loop. If you don't point to your internal DNS servers for the proxy I found that you need reverse lookups aren't as straightfoward as you need to then setup forwarders on the in-addr-.arpa domain back to the DC anyway.
In reality it's just how we are configured. Be curious to see what others say, but it looks to be a personal choice at this point. Since the FW is inspecting the fwd lookups from the domain controller anyway I don't see an advantage with having the DC's go to the FW. In theory if all of your clients are pointing to the FW your DC would never make a fwd lookup anyway, except for external traffic on the DC itself.
07-28-2021 05:18 PM
We are just rolling out DNS Proxy to some of our locations, but are using it extensively with Prisma Access. From what I have seen I don't believe protection changes if you point your domain controllers to the proxy. I think the biggest advantage of the proxy is that when you have a DNS Sinkhole and you are going through the proxy you will know which client was making the bad request. Otherwise if it is your DNS server doing the recursive lookup the FW will still detect a malicious domain, but the sinkhole will show up as the DNS server and you won't know which endpoint was making the call.
07-28-2021 05:22 PM
Thanks Jason, that is exactly what I am seeing sinkhole addresses all originate from the DC and the logging seems spotty. I could certainly point the clients on the same subnet to the proxy, but it has me wondering about the DC itself for external name resolution.
07-28-2021 08:14 PM
I just double checked our config. Where we are using DNS Proxy, we have our trust interface setup for DNS proxy and the FW points to our domain controllers for DNS. We have the interface for our Guest Zone with a proxy that goes directly to Google. Our DHCP scopes are setup to push use the FW's for DNS resolution.
The DC's are setup to point themselves for DNS as is best practice. The forwarders are setup to go to Google or Root Hints if not available.
Since we are using our internal DNS servers as the DNS servers for the FW proxy we couldn't point the forwarders to the FW as it would be a loop. If you don't point to your internal DNS servers for the proxy I found that you need reverse lookups aren't as straightfoward as you need to then setup forwarders on the in-addr-.arpa domain back to the DC anyway.
In reality it's just how we are configured. Be curious to see what others say, but it looks to be a personal choice at this point. Since the FW is inspecting the fwd lookups from the domain controller anyway I don't see an advantage with having the DC's go to the FW. In theory if all of your clients are pointing to the FW your DC would never make a fwd lookup anyway, except for external traffic on the DC itself.
07-28-2021 08:46 PM
Thanks, our clients still point to the dc, that is an easy change. Our firewalls point the domain to the internal and everything to the isp. The forwarders would be the question. But You are correct in saying that having the clients utilizing the firewall is probably most critical.
07-30-2021 12:04 PM
Hi @bschaper
Actually it does not really matter which configuration you use as long as the dns requests are sent through the firewall. With the anti spyware profile applied to this dns traffic the firewall inspects the dns requests and replies (if you configured it to do so) with the sinkhole IP for known bad/malicious domains. With this configuration you will then see traffic of the actual client towards the sinkhole IP, so there is no need for the DNS proxy. If you also have the dns security subscription it is exactly the same. The only benefit you have with the proxy is that you directly see which client send the query for which malicious domain. We have separated clients and servers in different zones, so in this setup the proxy also isn't required for visibility.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
