we have a product which connects to about 91 alternating IP adresses.
The producer of the software published a couple of DNS adresses which belongs to these IPs.
Normally it should connect to these DNS adresses, but unfortunaltely it doesn't.
It's a security software and it should be updated daily.
I want to build a rule for this which queries the IPs to DNS adresses to allow the access.
The software wants to connect to 220.127.116.11, 18.104.22.168, 22.214.171.124 and 126.96.36.199. These IPs belong to www.google.com.
Now I only want to allow the access to google.com and I don't want to maintain a list of allowed IPs which can change ofc.
Is it possible to build a rule in MWG which queries a lookup for google.com and allows the access to the refering IPs?
This is possible in the rules using the "DNS.Lookup" property, and then using the domain you are interested in, however it can cause performance issues if not done right. Does this software run on all devices? Does the software make a request with a special user-agent?
See attached and screenshot below of ruleset that should do the trick (assuming the DNS lookups come back correctly). In your case, add any client IPs or the user-agent into the ruleset criteria, and replace securitysoftware.mwginternal.com within the DNS.Lookup criteria.
Let me know if that helps!
thank you very much for your answer.
The software runs only on one server and we don't want to whitelist its' IP nor the user name.
Unfortunately the requests don't even have a user agent. There is just the connection request to about 90 IPs.
I have one additional criteria:
the dns.lookup attribute should be applied to a list of URLs.
If you have multiple URLs, you'll need to create multiple rules -- one for each domain -- just copy and paste the rule.
If the software only runs on one server, then I think it'd be good to include it in the ruleset criteria, especially if you have multiple domains you want to lookup. We should only do these lookups if the request is based on IP, so I added the criteria "URL.HostIsIP" as a ruleset criteria and AND'd it with the Client.IP criteria.
If we do not have good criteria or limit the scope of these rules it will very likely cause performance issues for other users. At a bare minimum we should use the URL.HostIsIP criteria.
The resulting ruleset would look like this: