cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 1 of 2

MCP Domain Based Redirection and Alternate Proxy - Working with DNS Based Filters like Umbrella

Jump to solution

Several customers have asked this question so I thought I would post the question and the answer for all.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?
1 Solution

Accepted Solutions
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: MCP Domain Based Redirection and Alternate Proxy - Working with DNS Based Filters like Umbrella

Jump to solution

Updated 5/28/21 for clarity.

Updated diagrams 6/2/2021

Updated 6/14/2021 with additional feedback from field disabling Cisco Umbrella DNS over UDP 443, with simple MCP policy change.

Enhanced text added link about value of even using non-standard DNS 6/4/2021

MCP operates at the network layer and must make its bypass and redirect decisions on the initial TCP SYN when only the destination IP and port are known. So how could it possibly do a domain based decision with just an IP address to work with?

The answer is that MCP uses VSCore (also known as firecore) which snoops standard DNS and observes the hosts file. (This is the same technology used by the host firewall component in ENS and VSE.) VSCore maintains a cache of IP to hostname mappings that MCP can query with IP and check the result against its domain bypass and domain alternate proxy lists.

Results are cached observing the TTL of the DNS response. Flushing client DNS cache will not flush the VSCore DNS cache but will cause clients to do another lookup, and if that lookup is done with standard DNS protocol on UDP/TCP port 53 the VSCore DNS cache will be updated as well.  

If the client gets the result from its own DNS cache, and the local DNS cache was filled by a method other than hosts or standard DNS, then there will not be a mapping and redirection or bypass based on domain will not work. IP based bypass will still work, as will processname and port based bypass.

Two alternative formalized methods of DNS lookup are available to clients and many browsers. These methods are DoT (DNS over TLS) and DoH (DNS over HTTPS). Of these DoH  is the most widely used and standardized. Chrome and Firefox now will use it by default if available. If domain based bypass or redirect are needed, these features must be disabled on the client or blocked by network devices or filters. While use of McAfee Web Gateway or McAfee Web Gateway Cloud Service (managed with Cloud ePO, MWG or UCE) can be enabled to block DoH (block upload if media type cannot be determined and if media type equal to application/dns-message), they cannot be configured to block DoT generically.  

Cisco Umbrella is typically implemented with a client that intercepts DNS requests or is configured as a local DNS server such that by default VSCore would not see a standard DNS lookup (Umbrella would use DoH or could use encryption with UDP port 443) and although MCP default redirection to the primary proxy will work and process name, IP and port based bypass and alternate proxy will also work, domain based bypass and domain based alternate proxy will not work if the Umbrella agent is on the client, and is enabled with the default configuration. There is a way to configure the Umbrella agent to turn off encrypted DNS queries and enable MCP domain based bypass and redirection to work with Umbrella. Check with Cisco support for disabling encrypted DNS to force the agent to use standard unencrypted DNS on port 53. Turning off encrypted DNS is only required if domain based bypass, or domain based alternate proxy redirection is generically required. You can also whitelist Umbrella for specific domains if only certain domains are needed. However there have been reports of poor performance when Umbrella is using UDP 443 for DNS requests.

There is significant debate as to whether using DOH or any form of encrypted DNS actually improves or diminishes security. See here: https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/ 

One customer reported issues with performance when using Umbrella with UDP 443 for encrypted DNS. When we configured the MCP policy to block UDP port 80/443 this effectively turned off Cisco Umbrella DNS over HTTP, and  forced all the DNS requests back to the standard 53/UDP and the Internet performance improved tremendously both on the VPN and when off the VPN. Also, when the optional 443/UDP port option is not enabled in the Cisco VPN client VPN client reconnect issues on Windows 10 laptops were also eliminated. Note that when blocking UDP 443 with Umbrella, clients would need to be able to resolve external addresses using standard DNS.

If you are using a cloud proxy in addition to DNS based filtering, you can still go to the third party proxy direct by bypassing the cloud proxy addresses in your MCP policy, or going to the third party cloud proxy through WGCS (provided MCP is not configured to bypass the third party cloud proxy addresses or ports). If this is the case it is recommended for performance reasons that at a minimum webwasher.com and wgcs.mcafee-cloud.com and saasprotection.com domains are bypassed in the DNS agent.

All that being said, it really doesn't make much sense to even enable a third party DNS solution for any HTTP/S  filtering, if you have McAfee SaaS Web Protection or UCE, because the McAfee solution provides far superior visibility and granular control, and a much deeper level of inspection (DLP, Anti-malware (with real-time, emulation sandboxing and behavioral code analysis), Tenant restrictions, Activity Control, remote browser isolation, media type filtering, and path based filtering, with comprehensive logging to name just a few) than can possibly be provided by a primarily DNS based approach.

The diagrams below show DNS and HTTPS possible traffic flows. Note that MCP uses forward standard DNS resolution only for resolving configured proxy addresses. All mapping of IPs to domains for domain based bypass or alternate proxy is done through VSCore cache as described above.

With third party DNS agent, traffic flows could look like this:MCPUmb.PNG

Without a third party DNS agent, traffic flows could look like this:MCP3.PNG

And without any third party agent or proxy the flows look like this:MCPA.PNG

 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?

View solution in original post

1 Reply
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: MCP Domain Based Redirection and Alternate Proxy - Working with DNS Based Filters like Umbrella

Jump to solution

Updated 5/28/21 for clarity.

Updated diagrams 6/2/2021

Updated 6/14/2021 with additional feedback from field disabling Cisco Umbrella DNS over UDP 443, with simple MCP policy change.

Enhanced text added link about value of even using non-standard DNS 6/4/2021

MCP operates at the network layer and must make its bypass and redirect decisions on the initial TCP SYN when only the destination IP and port are known. So how could it possibly do a domain based decision with just an IP address to work with?

The answer is that MCP uses VSCore (also known as firecore) which snoops standard DNS and observes the hosts file. (This is the same technology used by the host firewall component in ENS and VSE.) VSCore maintains a cache of IP to hostname mappings that MCP can query with IP and check the result against its domain bypass and domain alternate proxy lists.

Results are cached observing the TTL of the DNS response. Flushing client DNS cache will not flush the VSCore DNS cache but will cause clients to do another lookup, and if that lookup is done with standard DNS protocol on UDP/TCP port 53 the VSCore DNS cache will be updated as well.  

If the client gets the result from its own DNS cache, and the local DNS cache was filled by a method other than hosts or standard DNS, then there will not be a mapping and redirection or bypass based on domain will not work. IP based bypass will still work, as will processname and port based bypass.

Two alternative formalized methods of DNS lookup are available to clients and many browsers. These methods are DoT (DNS over TLS) and DoH (DNS over HTTPS). Of these DoH  is the most widely used and standardized. Chrome and Firefox now will use it by default if available. If domain based bypass or redirect are needed, these features must be disabled on the client or blocked by network devices or filters. While use of McAfee Web Gateway or McAfee Web Gateway Cloud Service (managed with Cloud ePO, MWG or UCE) can be enabled to block DoH (block upload if media type cannot be determined and if media type equal to application/dns-message), they cannot be configured to block DoT generically.  

Cisco Umbrella is typically implemented with a client that intercepts DNS requests or is configured as a local DNS server such that by default VSCore would not see a standard DNS lookup (Umbrella would use DoH or could use encryption with UDP port 443) and although MCP default redirection to the primary proxy will work and process name, IP and port based bypass and alternate proxy will also work, domain based bypass and domain based alternate proxy will not work if the Umbrella agent is on the client, and is enabled with the default configuration. There is a way to configure the Umbrella agent to turn off encrypted DNS queries and enable MCP domain based bypass and redirection to work with Umbrella. Check with Cisco support for disabling encrypted DNS to force the agent to use standard unencrypted DNS on port 53. Turning off encrypted DNS is only required if domain based bypass, or domain based alternate proxy redirection is generically required. You can also whitelist Umbrella for specific domains if only certain domains are needed. However there have been reports of poor performance when Umbrella is using UDP 443 for DNS requests.

There is significant debate as to whether using DOH or any form of encrypted DNS actually improves or diminishes security. See here: https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/ 

One customer reported issues with performance when using Umbrella with UDP 443 for encrypted DNS. When we configured the MCP policy to block UDP port 80/443 this effectively turned off Cisco Umbrella DNS over HTTP, and  forced all the DNS requests back to the standard 53/UDP and the Internet performance improved tremendously both on the VPN and when off the VPN. Also, when the optional 443/UDP port option is not enabled in the Cisco VPN client VPN client reconnect issues on Windows 10 laptops were also eliminated. Note that when blocking UDP 443 with Umbrella, clients would need to be able to resolve external addresses using standard DNS.

If you are using a cloud proxy in addition to DNS based filtering, you can still go to the third party proxy direct by bypassing the cloud proxy addresses in your MCP policy, or going to the third party cloud proxy through WGCS (provided MCP is not configured to bypass the third party cloud proxy addresses or ports). If this is the case it is recommended for performance reasons that at a minimum webwasher.com and wgcs.mcafee-cloud.com and saasprotection.com domains are bypassed in the DNS agent.

All that being said, it really doesn't make much sense to even enable a third party DNS solution for any HTTP/S  filtering, if you have McAfee SaaS Web Protection or UCE, because the McAfee solution provides far superior visibility and granular control, and a much deeper level of inspection (DLP, Anti-malware (with real-time, emulation sandboxing and behavioral code analysis), Tenant restrictions, Activity Control, remote browser isolation, media type filtering, and path based filtering, with comprehensive logging to name just a few) than can possibly be provided by a primarily DNS based approach.

The diagrams below show DNS and HTTPS possible traffic flows. Note that MCP uses forward standard DNS resolution only for resolving configured proxy addresses. All mapping of IPs to domains for domain based bypass or alternate proxy is done through VSCore cache as described above.

With third party DNS agent, traffic flows could look like this:MCPUmb.PNG

Without a third party DNS agent, traffic flows could look like this:MCP3.PNG

And without any third party agent or proxy the flows look like this:MCPA.PNG

 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community