ProxySG & Advanced Secure Gateway

  • Private Community
 View Only

  • 1.  DNS Queries along with proxy enabled web browser

    Posted Sep 24, 2017 01:13 AM

    Hi Guys,

    I need some clarification on DNS queries by the client PC enabled with web proxy on its browser. 

    Whether the PC defined DNS servers will do DNS resolution or the proxy server does it while browsing websites?

    If proxy server does the DNS resolution, what is the solution to get the DNS queries directly from the PC defined DNS servers?



  • 2.  RE: DNS Queries along with proxy enabled web browser

    Broadcom Employee
    Posted Sep 24, 2017 01:23 AM

    i hope this should help to answer your first part of the question.

    How does the DNS resolution work on the ProxySG?

    http://www.symantec.com/docs/TECH241525


  • 3.  RE: DNS Queries along with proxy enabled web browser

    Posted Sep 24, 2017 10:31 AM

    Hi Alagesan,

     

                In an explicit proxy setup, DNS query is performed by proxy ideally. There is no need for client to preform DNS and then pass the domain name to proxy. Sometimes, the client application or Java applets are seen to be performing a DNS lookup at client side also. Another example for client performing DNS query is when PAC (WPAD) file is implemented which is having destination IP based conditions.



  • 4.  RE: DNS Queries along with proxy enabled web browser

    Posted Sep 24, 2017 02:32 PM

    Hi Guys,

    Thanks for your responses. So now i believe the webpage request comes to proxy server and it does the DNS query with listed DNS servers.

    My challenge here is, I have a DNS threat prevention solution, which tend to block DNS queries to malicious websites. It blocks those malicious queries successfully. But the source IP for the malicious query is seen as the proxy server IP address. 

    I am more interested to see the client PC IP address in my DNS threat prevention solution rather the proxy IP address. Is there any way achieve my requirement. 

     



  • 5.  RE: DNS Queries along with proxy enabled web browser

    Posted Sep 25, 2017 10:13 AM

    Hi,

    since the SG itself is generating the DNS Requests (in explicit proxy mode) and is not just forwarding or proxying a DNS request from a client I think this is technically impossible. There is no DNS request from a client and therefore no originating IP other than the SG's IP address.

    In HTTP you would simply add a X-Forwarded-For Header. There is no such function in DNS even if you would use the SG as your DNS proxy.

    Only in transparent proxy deployments would the clients issue DNS requests to their configured DNS servers. But then requests blocked by your DNS threat prevention would probably never reach the SG.

    Kind Regards,

    Gunnar

     



  • 6.  RE: DNS Queries along with proxy enabled web browser

    Posted Sep 25, 2017 12:36 PM

    The real answer to this question is probably a SIEM, where you correlate your proxy, DNS and other logs.

    As mentioned the ProxySG is responsible for the name resolution in a explicit deployment. However what you could do as a workaround are redundant DNS querys, so that the client is also resolving the DNS names of all domains which it tries to access, even if it wouldn't have to.

    If you are using a PAC file you can try and insert a "dnsResolve(host)" function there. Then the client will have to perform a DNS lookup (either from its local cache or from a DNS server) and you get your log entry on the DNS server with the source IP address of the client. Of course you will also get an additional DNS request from the ProxySG.