Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 24 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 93521 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do you block/allow domains with revolving/rotating or distributed/geo-dependent DNS?

Sam Malone

Our system needs to allow outgoing HTTP/S connections to our Amazon S3 services.  In the past, I was able to create a "DNS Group" object that kept track of the 700+ IP addresses associated with "s3.amazonaws.com" but now after recent firmware updates the DNS Group object is reduced to just one.

I asked Sophos Support about this behavior, and they responded that the DNS Group object was never designed to track all IPs for a domain name with revolving/rotating or distributed/geo-dependent DNS.

Besides entering all of S3's 300 IP blocks manually as network objects (and updating as they change) I was wondering if anyone uses a solution to remedy this behavior?

How do you block/allow a domain name that has revolving or distributed DNS?

Cheers!



This thread was automatically locked due to age.
  • 0 in reply to Sam Malone

    I don't understand how geographic DNS works.   Guess I need to do some reading.   If someone has a pointer, add it to this post or send me a private message.

    You are certainly right that there can be skew between client IP and UTM IP for the situation.   Here are my thoughts on that:

    The recommended DNS configuration (see "Rulz" in the Wiki section, courtesy of BAlfson) is to have your internal DNS servers forward to UTM, then have UTM forward to the Internet.   There are three advantages (a) it ensures that UTM Web Filtering Transparent Proxy block messages can be resolve to UTM, (2) It allows UTM Web Filtering Transparent Proxy to perform "Pharming" protection, where UTM re-resolves the DNS-to-IP address and corrects any apparent errors before releasing the packet (HTTPS scanning should be enabled), (3) For your situations, it will ensure that UTM sees everything that the client sees.   Only the last one applies to you.

    To comment on how web filtering works:  

    If you use Standard Mode, the browser forwards everything to UTM and says "Please fetch this for me".   As a result, the DNS resolution occurs on UTM only.   I am sure that this works for HTTPS if HTTPS inspection is enabled, and I think (but am not certain) that it works with HTTPS inspection off.

    In any mode, the UTM Web Proxy examines the request URL, IP address, and port to decide whether to release the HTTP(S) request.   This includes scoring the URL for category and reputation, scoring the IP address for boits, and checking static rules which can be FQDN patterns or Regex patterns.   Then it also checks the reply for malicious content,   (Content checking of HTTPS inspection requires HTTPS Inspection to be enabled, which requires a little setup.)   All of this is configurable based on source IP, User ID, and time of day.

     

  • 0 in reply to DouglasFoster

    Doug,

    That's all great, if you are paying for the Web Filtering proxy features on the UTMs.  We are a small Web Hosting company, with major WAF/reverse proxy needs and almost no standard web proxy needs.

    As for geo-dependent DNS and CDNs, here this should clear up some:

    https://www.nczonline.net/blog/2011/11/29/how-content-delivery-networks-cdns-work/

    Cheers!

  • 0 in reply to apijnappels

    Arno, that answer was for busthead's question, not for Sam Malone's original post here.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Sam Malone

    Sam, depending on what your needs are, you might be able to get by with a 10-IP Web Protection subscription in a dedicated VM instance or an SG 115 with a Web Protection subscription.  Have you discussed these possibilities with your Sophos partner?  Although the Web Protection solution is limited to HTTP/S "conversations," these can occur with any port.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML