cancel
Showing results for 
Search instead for 
Did you mean: 
mike18
Level 7
Report Inappropriate Content
Message 1 of 6

Transparent DNS and Source Endpoints

Jump to solution

Hi Everyone,

We are using the Transparent DNS and i need to configure ACL to allow DNS traffic from Source Enpoint to Destination Point.

Destination end point we are using is our internal DNS server.

Need to know which Source Enpoints i need to use one i know is firewall IP which we access via admin console?

Regards

Mike

1 Solution

Accepted Solutions
Highlighted
PhilM
Level 14
Report Inappropriate Content
Message 4 of 6

Re: Transparent DNS and Source Endpoints

Jump to solution

When the Firewall is configured to use transparent DNS, the IP address assigned in the DNS configuration screen is for the Firewall to use itself for resolving things such as hostname-based address objects.

Based on your traffic flow, the client PCs are located on the same zone as the DNS server host, meaning there is no Firewall intervention at that point. The DNS server will resolve (or provide answers from its cache) as and when it can. Any requests requiring an external DNS host will come about either by performing root name lookups (the default mode fo Microsoft DNS servers, I believe) or by way of a specific forwarder address configured on that DNS server.

Unless you have alternative routes to access the internet, the one conclusion we can draw from this is that if you are able to resolve internet hostnames without error and the firewall is running in transparent DNS mode then that request must be passing through the Firewall. If it isn't passing through the rule you think is should be using that would suggest there is another rule higher in the rule list which is allowing UDP port 53 traffic to pass from internal to external.

You can use the Audit Viewer filtering to display DNS traffic passing through the Firewall and by opening one of these entries you should be able to see which rule it is actually using to pass this traffic.

-Phil.

View solution in original post

5 Replies
PhilM
Level 14
Report Inappropriate Content
Message 2 of 6

Re: Transparent DNS and Source Endpoints

Jump to solution

Assuming the source machines are located in a different burb/zone (because if they are in the same zone you don't need to create a rule), the factor that is going to determine how you create the rule is whether the destination is directly routeable from the source.

e.g. if the source is located on the internet and you internal DNS server is located in a zone with a private address scope (192.168.x.x, 172.16.x.x or 10.x.x.x) then you will need to configure the source machine's DNS settings to use the Firewall's external IP address (or an alias on that interface) and then use the redirect host element in the rule to send the DNS traffic to the internally-hosted DNS server.

Service = DNS

Source burb/zone = external

Destination burb/zone = external

Source = address object(s)/group for the hosts allowed to use this service

Destination = address object for Firewall external IP (or alias)

Redirect host = address object for DNS server host

If the source and destination hosts are routeable then it is simply a matter of creating a rule between the applicable source/destination zones for the DNS service with appropriate source/destination address restrictions.

Hope that helps.

-Phil.

mike18
Level 7
Report Inappropriate Content
Message 3 of 6

Re: Transparent DNS and Source Endpoints

Jump to solution

Hi Phil,

Under our current setup the user PC gets DNS from Internal DNS server

Then if user PC traffic needs to go to Internet here is traffic flow

PC----Switch---Internal DNS Server-------Switch----Mcafee firewall------Firewall ----Internet

I check our existing Firewall and it has Transparent DNS  with Single Name server IP.

But when i check the Rule on Firewall it has Source as  local host and SSH IP of firewall.

Does localhost source means all DNS traffic originating from firewall ?

This Rule has no hits.

So does this mean users who are going to Internet there DNS is not done by the firewall?

Regards

Mike

Highlighted
PhilM
Level 14
Report Inappropriate Content
Message 4 of 6

Re: Transparent DNS and Source Endpoints

Jump to solution

When the Firewall is configured to use transparent DNS, the IP address assigned in the DNS configuration screen is for the Firewall to use itself for resolving things such as hostname-based address objects.

Based on your traffic flow, the client PCs are located on the same zone as the DNS server host, meaning there is no Firewall intervention at that point. The DNS server will resolve (or provide answers from its cache) as and when it can. Any requests requiring an external DNS host will come about either by performing root name lookups (the default mode fo Microsoft DNS servers, I believe) or by way of a specific forwarder address configured on that DNS server.

Unless you have alternative routes to access the internet, the one conclusion we can draw from this is that if you are able to resolve internet hostnames without error and the firewall is running in transparent DNS mode then that request must be passing through the Firewall. If it isn't passing through the rule you think is should be using that would suggest there is another rule higher in the rule list which is allowing UDP port 53 traffic to pass from internal to external.

You can use the Audit Viewer filtering to display DNS traffic passing through the Firewall and by opening one of these entries you should be able to see which rule it is actually using to pass this traffic.

-Phil.

View solution in original post

mike18
Level 7
Report Inappropriate Content
Message 5 of 6

Re: Transparent DNS and Source Endpoints

Jump to solution

Hi Phil,

I checked there are few Host based Network Objects but they are not used in Access Control Policy.

I can perform DNS lookup on the host based network object.

When i filter by my PC IP i can see the logs traffic is going to Internet.

Requests for Internet is passing Via Firewall like my traffic goes via Internal to External Zone.

When i use Audit Viewer to Filter DNS traffic i did this

Custom

Expression

Filter builder

src_ip 192.168.50.1 and src_zone internal and (application 'DNS'  )

I see no traffic at all even though i am browsing the internet.

When when i choose source and destination as any any zone

Then i see DNS traffic going from Source Zone DMZ   to Destination Zone   Internal.

This traffic is from some source windows server to destination DNS  server.

Regards

Mike

mike18
Level 7
Report Inappropriate Content
Message 6 of 6

Re: Transparent DNS and Source Endpoints

Jump to solution

Many thanks Phil

Regards

Mike

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community