Unresolved URLs (Zscaler) are blocked in Web Filtering with "Host not found" - exception possible ?

Dear Community,

as we need to support many customers via VPN, I often have to deal with setting rules,
to allow VPN Clients to connect to remote sites from inside our network.

Always easy until now:
A customer came up with the Zscaler Client and I wasn't able to make settings for this connection to my satisfaction.
I only get it working, when I disable Pharming Protection, which is not what I want !

Here the Details:
Regarding, what I can see on the Web Filter Log, Zscaler seems to connect in two stages
- first it connects to the Zscaler endpoint at the customer's site and promts me to login
- when this is done, it tries to connect to some URL of the Zscaler infrastructure "https://driv.com.c2.prod.zpath.net/"

And that's where the UTM (V 9.605-1) breaks it.
The URL seems to be some kind of "virtual URL", which is not resolvable.
Even an online DNS lookup delivers no result.
So Web Filtering blocks the attempt of the Client, to contact this URL with the error "Host not found"

Now it would be nice, to simply disable the URL check for this very URL.

But no matter what exception or bypass I define in the Web Filter Rules - block action takes part before regarding any exclusions.
The only way, to get around is, to disable Pharming Protection.
To me this is no real solution, as I totally disable a security feature, instead of configuring an exception just for this URL.

The issue is similar to the behaviour described in this thread

Any ideas how to resolve this issue are highly appreciated

Best Regards  RanX

  • Hi  

    If you know which DNS server would resolve this, you may configure a DNS request route for this domain (which might require some assistance from Zscalar) and that will allow you to work with this. Since the DNS resolution is not possible, there is no point creating an Exception (even in Transparent mode Skip list).

  • In reply to Jaydeep:

    Hi Jaydeep,

    so far in theory ...

    As even the official Zscaler DNS servers do not resolve this, I assume, this design is intended.
    Zscaler offers "cloud security" and therefore is kind of competitor to Sophos.
    I'm afraid, they won't bother that much about resolving issues on other vendors products.

    And even if I find a workaround with Zscaler, this is still no solution.
    When you read the other thread, I referred to, you will see, Zscaler is not the only case where unresolvable URLs are used.

    Thus it would make more sense, to set an exception on the UTM, than blame it to third parties, which won't care about it anyway ...

    Best Regards

    RanX

  • In reply to RanX:

    Hi  

    I am not blaming third parties in any way. I was just suggesting what could be a (possible)workaround in this case given that you've hit a block in setup.

  • Guessing why Pharming Protection is a problem:

    Normal Mode

    • Vendor DNS name returns a list of servers.
    • Application does a DNS lookup and gets a result.
    • Application establishes a connection to that server.
    • Application makes a second connection using IP address only.
    • Server verifies that both sessions can be linked.

    With Pharming Protection on:

    • Application does a DNS lookup and gets an IP
    • UTM does a DNS lookup and gets a different IP, which is the one actually used.
    • First session is connected successfully.
    • Application attempts the second connection using its cached IP.
    • The two sessions are now on different servers and the connection fails.
  • In reply to DouglasFoster:

    Good Morning Douglas !

    The second part of the description is not completely correct.
    I also don't know, why it was marked as answer.
    It only describes the behaviour but does not provide a solution, to get around this.

    But to give a general description, of what happens in my case and in the thread I referred to ("snapchat is blocked")

    With Pharming Protection on:

    • Application however seems to be able to do a DNS lookup of it's "special" URL and gets an IP
    • in contrary a "manual" request of official DNSes for the same URL will not give a result
    • UTM does a DNS lookup and gets no IP, as it also can request only official DNS servers
    • UTM returns "Host not found" and refuses connection

    The only way to resolve this, would be, to somehow exclude these URLs from Pharming Protection.
    But at present, I did not find any method to accomplish this.

    So either there is a way I've overseen or if this is a feature, which is still missing in Pharming Protection.

    Best Regards

    RanX

  • In reply to RanX:

    Hallo RanX,

    Doug is right - there's nothing you can do other than disable pharming protection.  I've done that at many client sites.  An Exception is a good suggestion.  You might mention it at Ideas and then come back here and provide a link to it.

    Cheers - Bob

  • In reply to RanX:

    I do not consider pharming protection to be an important defense.   It attempts to "fix" any mismatches between the URL and the IP address provided by the client.   This is a potential defense against two problems:

    • Clients that obtained an incorrect result from their DNS server.
    • Clients that are infected and deliberately trying to reach bad guys by IP address while pretending to reach "goodguys.com"

    Either of these require alarms that cause you to find the problem rather than a packet-level fix that attempts to handle the problem silently.

    The best defense against DNS takeover is to have managed switches that block DHCP replies from unauthorized ports, track DHCP assignments by port, and block traffic that attempts to take over a DHCP-assigned address that was issues to a different port.

    Anti-virus, web filtering, and spam filtering are there to prevent infections.   If an infection occurs, it will probably show up in other ways, especially IPS and ATP.

    Given all that, I don't see much risk in disabling the pharming protection feature.

    As I have written in "Web Filtering Lessons Learned", I recommend Standard Mode for web traffic and Transparent Mode without authentication for non-web traffic, then create exceptions for situations like the one you have encountered.   Standard Mode transfers the DNS task completely to UTM.