(all Domains and IPs are faked)
Our Setup on one of our branches:
UTM 9 SG105-box
small Network with 3 Computers (Win7 PCs)
Internetaccess Firewall -> cablemodem
There is a VPN-Tunnel to our datacenter where all our Servers are hosted.
Win Domaincontrollers also in the datacenter, Win computers domainjoined.
Internaly we use domains like da02.dolphin.ch (Win Domain) and internal.ch which also exist in the Internet too
dolphin.ch is also in the Internet one of our Domains. Internal.ch we use only to resolve internal Servers.
PCs use as DNS-Servers our internal DNS-Servers in the datacenter (10.144.1.109 and 108) but we also put in These as ext. resolver in the UTM9.
Now the Problem:
The PCs want to reach with http:80 certain Websites/Services in the datacenter.
example monitoring.internal.ch and citrixfarm.dolphin.ch
if we ping these Hosts we get correct internal IPs from the datacenter (through the VPN-Tunnel) resolved by our internal DNS-Servers (result 10.144.1.104 and 10.144.1.211)
If we want to access the associatet URLS (http:80) utm 9 leaves also the resolvers beside, resolves with whatever and gives us back a destination in the Internet.
We tried to exclude the 2 domains internal.ch and dolphin.ch in the webfilter with no better result. Webfilter still looks 'outside' in the Internet for it........
We never reach the Services in the datacenter.......and that blocks so much things.
All other Services not based on http will seamless go through the vpn-tunnel to the datacenter, all works fine.
How to prevent the Webfilter (without turning it off =;-))from resolving URLs to the WAN-Internet and is not using the resolvers which we have configured?
Thanks for 'resolving' =;-)
In "Standard" mode, the UTM must be able to resolve all IPs.
In "Transparent" mode it is dependent on your setting for Pharming Protection. With pharming protection off, the UTM trusts the IP in the client request. With pharming protection on, the UTM will try its own DNS lookup and use that.
However, I would listen to the others about DNS best practices.
Bob - you may want to add this info to your DNS best practices.
In addition - in current SFOS/UTM code when pharming protection is turned on if the appliance cannot resolve the domain to an IP, then it will block the connection with Host Not Found. In future SFOS/UTM code, if it cannot resolve then it will use the IP from the client connection. This will fix some problems in certain apps, including potentially this guy.