This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[Fresh From the Press: Latest KB's] Sophos XG Firewall / UTM: How does Pharming protection work

Hey Community,

Pharming protection protects users against domain name poisoning attacks by repeating DNS lookups before connecting.
This KB article describes how Pharming protection works.

Regards,



This thread was automatically locked due to age.
  • What about sites that resolve to a list.   Does UTM check the whole list for a match, or just take the first result and substitue its result for the original value.

    I have been afraid to use pharming protection, because my perception is that with multiple IPs, it will do round-robin address matching and session context will be lost due to address churn.   I would be happy to be wrong.

  • A brief description of how DNS works.

    A domain (such as www.google.com) may resolve to multiple IPs.  If you query a DNS server multiple times you may get different answers.

    When an application (such as firefox on your windows laptop) wants to resolve www.google.com it queries the OS (which is basically a local DNS server), which does not know, which in turn queries the configured DNS server.  The answer is then put into the OS's local DNS cache based on its TTL (time to live).  So if firefox asks a second time the answer is the same and there is no lengthy internet query.  Minutes later (eg after TTL cache expires) firefox could ask to resolve again and this time get a different IP address.

    Another thing to note is that when firefox asks for a webpage at www.google.com, after the page is retrieved the TCP connection is not destroyed.  It gets reused for the next request.  If there is continuous traffic (eg not idle for a specified time) Firefox might continuously use the same TCP connection for a long time, which means there are no additional DNS queries after the first one.

    So when you have multiple request to the same server it TENDS to be the same IP, first because it reuses the connections, and second because it has a local DNS cache.  But at any time that you make a new TCP connection to the same FQDN it could be a different IP.

    Firefox, web applications, and other applications that use the network are built to be able to handle changing IPs.  Because you might open up five facebook windows causing seven TCP connections to three different IPs.  There are session ids, tokens, and other mechanisms that ensure that no matter what IP you connect to, it is still you.

     

    When using UTM or XG is doing pharming protection, it is essentially the same thing.  In this case the UTM/XG also has a DNS cache so that it is not constantly doing expensive DNS lookups every request.  However the DNS cache also is constantly being refreshed (when a new request is made and TTL has expired). Any new TCP connections could potentially go to a different IP address.  Which the applications should be able to handle because they already need to handle it when your Windows computer does the exact same thing.

    One more thing.  If you are using Direct/Standard/Explicit mode where you specify the UTM/XG as your web proxy, the client never tells the proxy the IP it wants to connect to, it only tells the proxy the FQDN and the proxy is always doing a DNS lookup.  So the Pharming Protection feature is basically getting the Direct mode method of DNS resolution on a Transparent mode request.  If this didn't work, then direct mode proxies that have been around for decades would not work.