URL Filtering - DNS Proxy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

URL Filtering - DNS Proxy

L2 Linker

Hi,

I have the PAN devices in the main datacentres that do DNS lookups for all clients globally. What I am trying to figureout is how to have those servers forward to the PAN and the PAN proxy off to external servers then filter the returns based on a URL filtering policy. Thus not having to use a service like Open DNS. The standard URL filtering way does not work as most devices go out local gateway's at their site using split tunnel routing and only the DNS query is passed throught the PAN in the Datacentre.

I am not sure if it is possible but wanted to get others opinions on it.

5 REPLIES 5

L6 Presenter

What about setting up a DNAT (Destination NAT) rule based on dstport 53 for both UDP and TCP and force that traffic to your own DNS-server(s) where you then perform the DNS-policy you wish (since you didnt want to use OpenDNS to do this)?

Preferly use some sort of loadbalancing aswell so if one server is down or performs badly the other DNS-servers will get more of the requests (like the PAN will DNAT to an IP handled by a VSERVER in a F5 or so which will then loadbalance to the true server).

The problem is the split tunneling which might also mean that the client can bypass also the DNS-filtering (by manually query a DNS outside the tunnel and therefor not pass the PAN's at all depending on how strictly you enforce the split tunneling rules). Or for that matter modify the local resolv.conf/hosts-file which will overrule any answer (or non-answer) from the local DNS-servers.

Otherwise using URL-categories in your PAN-unit (along with SSL-termination) would be the preferred method to enforce DNS-policy (well URL-policy) but this will have the same limitation as using DNAT - the traffic from the client must pass the PAN-unit (but in your case it seemed that only the DNS-traffic was forced into the tunnel while the rest of the browsing happend outside the tunnel).

Yes the split tunnel is the problem.

All DNS quries go via our master DNS servers I then wanted to make them forward to the PAN firewalls and have the firewall do the external lookup apply URL filtering then provide the resonce to the client. If its a blocked URL it can just sent the client to a blocked URL page or just provide no responce.

The problem being that the PAN applies the blocks at the session layer not the lookup and as the clients as global connecting from many places not always behind a PAN device.

If there is a way to do filtering using the DNS proxy that would be great but looks like I have to either do a feature request or use an external service. Unless anyone can think of a way to achieve this?

So my suggestion wont work in your case?

I mean you have the following setup:

Client does split tunneling, everything except DNS-queries goes outside the tunnel (DNS-queries goes into the tunnel which terminates at your datacenter) - if I understood your setup correctly...

The PAN at the datacenter terminates your VPN (or if you use some other device for the VPN stuff and then forward all traffic through your PAN).

Your PAN will apply a DNAT (Destination NAT) for traffic coming from zone VPN-clients which have dstport UDP53/TCP53 and force that traffic to a virtual server handled by your loadbalancer (such as F5 or whatever) - the DNAT will rewrite destination ip.

Your loadbalancer will then loadbalance which of your DNS-servers should get the query.

You then setup your DNS-servers to block queries regarding the hosts/domains you dislike (or give a false answer so the client will get for example 192.168.0.1 as reply and when connecting to 192.168.0.1 (who is a local server in your network, preferly on a DMZ)  get some information for why this host/domain is blocked and how to contact support etc)).

Or did I completely misunderstood what you want to do? 🙂

Yes that is basically the setup only WAN traffic enters the tunnel and I cannot setup rules on our DNS servers as I would have to build effectivly my own copy of BrightCloud and I am paying PA for that service in my URL Filtering license that I cannot use.

URL Filtering applies to http/https traffic only.  URL categorization is performed based on an HTTP GET or in the case of an https site the CN (common name) of the certificate.  URL filtering cannot be performed on DNS requests (tcp/udp/53).

  • 3760 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!