Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 3 subscribers
  • Views 7131 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unresolved URLs (Zscaler) are blocked in Web Filtering with "Host not found" - exception possible ?

RanX

Dear Community,

as we need to support many customers via VPN, I often have to deal with setting rules,
to allow VPN Clients to connect to remote sites from inside our network.

Always easy until now:
A customer came up with the Zscaler Client and I wasn't able to make settings for this connection to my satisfaction.
I only get it working, when I disable Pharming Protection, which is not what I want !

Here the Details:
Regarding, what I can see on the Web Filter Log, Zscaler seems to connect in two stages
- first it connects to the Zscaler endpoint at the customer's site and promts me to login
- when this is done, it tries to connect to some URL of the Zscaler infrastructure "https://driv.com.c2.prod.zpath.net/"

And that's where the UTM (V 9.605-1) breaks it.
The URL seems to be some kind of "virtual URL", which is not resolvable.
Even an online DNS lookup delivers no result.
So Web Filtering blocks the attempt of the Client, to contact this URL with the error "Host not found"

Now it would be nice, to simply disable the URL check for this very URL.

But no matter what exception or bypass I define in the Web Filter Rules - block action takes part before regarding any exclusions.
The only way, to get around is, to disable Pharming Protection.
To me this is no real solution, as I totally disable a security feature, instead of configuring an exception just for this URL.

The issue is similar to the behaviour described in this thread

Any ideas how to resolve this issue are highly appreciated

Best Regards  RanX



This thread was automatically locked due to age.
Parents
  • 0

    Guessing why Pharming Protection is a problem:

    Normal Mode

    • Vendor DNS name returns a list of servers.
    • Application does a DNS lookup and gets a result.
    • Application establishes a connection to that server.
    • Application makes a second connection using IP address only.
    • Server verifies that both sessions can be linked.

    With Pharming Protection on:

    • Application does a DNS lookup and gets an IP
    • UTM does a DNS lookup and gets a different IP, which is the one actually used.
    • First session is connected successfully.
    • Application attempts the second connection using its cached IP.
    • The two sessions are now on different servers and the connection fails.
  • 0 in reply to DouglasFoster

    Good Morning Douglas !

    The second part of the description is not completely correct.
    I also don't know, why it was marked as answer.
    It only describes the behaviour but does not provide a solution, to get around this.

    But to give a general description, of what happens in my case and in the thread I referred to ("snapchat is blocked")

    With Pharming Protection on:

    • Application however seems to be able to do a DNS lookup of it's "special" URL and gets an IP
    • in contrary a "manual" request of official DNSes for the same URL will not give a result
    • UTM does a DNS lookup and gets no IP, as it also can request only official DNS servers
    • UTM returns "Host not found" and refuses connection

    The only way to resolve this, would be, to somehow exclude these URLs from Pharming Protection.
    But at present, I did not find any method to accomplish this.

    So either there is a way I've overseen or if this is a feature, which is still missing in Pharming Protection.

    Best Regards

    RanX

Reply
  • 0 in reply to DouglasFoster

    Good Morning Douglas !

    The second part of the description is not completely correct.
    I also don't know, why it was marked as answer.
    It only describes the behaviour but does not provide a solution, to get around this.

    But to give a general description, of what happens in my case and in the thread I referred to ("snapchat is blocked")

    With Pharming Protection on:

    • Application however seems to be able to do a DNS lookup of it's "special" URL and gets an IP
    • in contrary a "manual" request of official DNSes for the same URL will not give a result
    • UTM does a DNS lookup and gets no IP, as it also can request only official DNS servers
    • UTM returns "Host not found" and refuses connection

    The only way to resolve this, would be, to somehow exclude these URLs from Pharming Protection.
    But at present, I did not find any method to accomplish this.

    So either there is a way I've overseen or if this is a feature, which is still missing in Pharming Protection.

    Best Regards

    RanX

Children
  • 0 in reply to RanX

    Hallo RanX,

    Doug is right - there's nothing you can do other than disable pharming protection.  I've done that at many client sites.  An Exception is a good suggestion.  You might mention it at Ideas and then come back here and provide a link to it.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to RanX

    I do not consider pharming protection to be an important defense.   It attempts to "fix" any mismatches between the URL and the IP address provided by the client.   This is a potential defense against two problems:

    • Clients that obtained an incorrect result from their DNS server.
    • Clients that are infected and deliberately trying to reach bad guys by IP address while pretending to reach "goodguys.com"

    Either of these require alarms that cause you to find the problem rather than a packet-level fix that attempts to handle the problem silently.

    The best defense against DNS takeover is to have managed switches that block DHCP replies from unauthorized ports, track DHCP assignments by port, and block traffic that attempts to take over a DHCP-assigned address that was issues to a different port.

    Anti-virus, web filtering, and spam filtering are there to prevent infections.   If an infection occurs, it will probably show up in other ways, especially IPS and ATP.

    Given all that, I don't see much risk in disabling the pharming protection feature.

    As I have written in "Web Filtering Lessons Learned", I recommend Standard Mode for web traffic and Transparent Mode without authentication for non-web traffic, then create exceptions for situations like the one you have encountered.   Standard Mode transfers the DNS task completely to UTM.

Unfiltered HTML