Does the webfilter resolve itself dns-names of accessed Websites?

Hi

(all Domains and IPs are faked)

Our Setup on one of our branches:

UTM 9 SG105-box

small Network with 3 Computers (Win7 PCs)

Internetaccess Firewall -> cablemodem

There is a VPN-Tunnel to our datacenter where all our Servers are hosted.

Win Domaincontrollers also in the datacenter, Win computers domainjoined.

Internaly we use domains like da02.dolphin.ch (Win Domain) and internal.ch which also exist in the Internet too

dolphin.ch is also in the Internet one of our Domains. Internal.ch we use only to resolve internal Servers.

PCs use as DNS-Servers our internal DNS-Servers in the datacenter (10.144.1.109 and 108) but we also put in These as ext. resolver in the UTM9.

Now the Problem:

The PCs want to reach with http:80 certain Websites/Services in the datacenter.

example monitoring.internal.ch and citrixfarm.dolphin.ch

if we ping these Hosts we get correct internal IPs from the datacenter (through the VPN-Tunnel) resolved by our internal DNS-Servers (result 10.144.1.104 and 10.144.1.211)

If we want to access the associatet URLS (http:80) utm 9 leaves also the resolvers beside, resolves with whatever and gives us back a destination in the Internet.

We tried to exclude the 2 domains internal.ch and dolphin.ch in the webfilter with no better result. Webfilter still looks 'outside' in the Internet for it........

We never reach the Services in the datacenter.......and that blocks so much things.

All other Services not based on http will seamless go through the vpn-tunnel to the datacenter, all works fine.

 

How to prevent the Webfilter (without turning it off =;-))from resolving URLs to the WAN-Internet and is not using the resolvers which we have configured?

Thanks for 'resolving' =;-)

Phil

  • Hi Phil,

    Could you explain me with a simple network diagram?

    Thanks

  • In reply to sachingurung:

    20170721163128438.pdf Hi hope that helps to explain more. Tahnks

  • Hi, Phil, and welcome to the UTM Community!

    In Transparent mode accesses, it's the client browser that requests name resolution.

    If the client browser is explicitly configured to use the UTM as a Proxy, the UTM will request name resolution.

    Note that the UTM will respond to an explicit proxy request in Standard mode even if only a Transparent mode Web Filtering Profile has been configured.  This can also occur if the client browser is configured with 'Automatically detect settings' selected.

    You might want to compare your DNS configuration to DNS best practice.

    Taking all of this into account, would you want to rephrase your question, or does that answer it?

    Cheers - Bob

  • In "Standard" mode, the  UTM must be able to resolve all IPs.

    In "Transparent" mode it is dependent on your setting for Pharming Protection.  With pharming protection off, the UTM trusts the IP in the client request.  With pharming protection on, the UTM will try its own DNS lookup and use that.

    However, I would listen to the others about DNS best practices. 

     

    Bob - you may want to add this info to your DNS best practices.

    In addition - in current SFOS/UTM code when pharming protection is turned on if the appliance cannot resolve the domain to an IP, then it will block the connection with Host Not Found.  In future SFOS/UTM code, if it cannot resolve then it will use the IP from the client connection.  This will fix some problems in certain apps, including potentially this guy.