How do you block/allow domains with revolving/rotating or distributed/geo-dependent DNS?

Sam, I'm confused.  Is there a reason you're addressing this with anything other than Web Filtering?

Cheers - Bob

Bob,

We don't have Web Filtering or any other Endpoint, Enterprise, or Email services running on our UTMs.  We simply use the Web Protection suite for our externally facing web sites, and the Network Protection layer for stateful L3 firewalling of those servers only.

We are trying to restrict our servers from outgoing HTTP/S unless where needed, an example of which is when connecting to S3 to upload documents for CDN cache usage.

It hasn't occurred to me to try Web Filtering for the outgoing traffic of the servers, but even still I need to ask the same question: will it allow me to connect to a domain name that has a distributed or revolving DNS resolution while having the catch-all DENY ANY that Network Protection has?

Cheers

SAM

In this case, Web Filtering is the ideal way to control web activity based on domain or FQDN initiated from inside your LAN/DMZ.

Cheers - Bob

OK, that's not an answer - I'm hoping to use Network Protection in the way it was intended, not patch in Web Filtering that's traditionally reserved for enterprise client-based web browsing restricting.

Instead, let's pretend that I was trying to do the same with any other protocol, say, RDP 3389.  How would I allow OR block connections to a domain name that resolves differently based on revolving or geo DNS?  I just need a way to, in the UTM, define & track a domain name that has dynamic resolution.

Is there some technology for revolving DNS that we can reference here that we can then request be implemented into the UTM's host/network definition types?

Cheers

I'm not able to get any name resolution on s3.amazonses.com - are you sure that's the FQDN you were using?  The UTM's DNS Group objects should not have been changed by any Up2Date.

Cheers - Bob

My bad - it's AWS... s3.amazonaws.com; even more specifically s3-1-w.amazonaws.com.

Cheers

First, you asked the following:

It hasn't occurred to me to try Web Filtering for the outgoing traffic of the servers, but even still I need to ask the same question: will it allow me to connect to a domain name that has a distributed or revolving DNS resolution while having the catch-all DENY ANY that Network Protection has?

Yes, see #2 in Rulz.

The behavior of DNS Groups hasn't changed, so it must be a change that Amazon made.  Perhaps they can give you another FQDN that has an A-record for all of the IPs you might use.  It looks like Amazon assigns IPs spread randomly over a /11 subnet.

It looks like the IP for s3-1-w.amazonaws.com changes every 5 seconds (elastic load balancing?).  There never was a time when that would have worked with UTM firewall rules, so Web Protection is the only solution if you generally want to DENY ANY in a firewall rule but allow traffic to this, specific FQDN.

Cheers - Bob

So to summarize your reply: There are no solutions for revolving DNS if one is to use A) the Firewall (Network/Host Definitions & packetfilter service) only or B) an outgoing protocol other than HTTP/S.

But if our use-case is outgoing HTTP/S only, then the Web Filtering service can filter properly based on, what, HTTP request header Host value?

I can confirm to you, based on past experience, that the DNS resolution behavior for s3-1-w.amazonaws.com has remained the same for many months or years now, perhaps with the same revolution interval.  I can also confirm, based on past experience, that the UTM Network object "DNS Group" for s3-1-w.amazonaws.com was 700+ IPs large.  Only recently did it change - perhaps when we upgraded to 9.4x, I'm not exactly certain.

I'm not saying that "storing" IPs for revolving DNS was, or is, or should be, the technical purpose of the DNS Group objects - implying that something is now broken; instead that it was convenient that they stored the IPs the way they did - it allowed proper filtering using the UTM features that were already enabled.

FWIW, I have similar DNS Group objects for some Google services as well, they also stopped "storing" IPs at the same time.

Only recently did it change - perhaps when we upgraded to 9.4x, I'm not exactly certain.

If you open a ticket with Sophos Support, please let us know their response about when this started and whether it was an intended change.  Since I use Web Filtering in this instance, I've not witnessed this problem or the solution you were using.

But if our use-case is outgoing HTTP/S only, then the Web Filtering service can filter properly based on, what, HTTP request header Host value?

Yes, you definitely want to do this with Web Protection.

Cheers - Bob

Already contacted Support half a dozen times.. This is from one of their TS reps:

I have confirmed with product management that the DNS Group objects were never designed to work with DNS round robin - and we really do not have a network definition that is designed to reliably work with this. The only alternative I can think to use in this case is a network object that covers the range of IPs Amazon owns.

I guess I'm not surprised that Sophos doesn't have other customers that have experienced this issue.. In several non related incidents over the last many moons, sometimes I found myself wondering about the adoption levels of the UTM in the professional, top-scale Web Application & Security industry..  I know we chose Sophos far before we had these advanced needs because they were the cheapest supported WAF/IPS.

Cheers