I'm looking at using the "URL.Destination.IP" property in a rule, which has the following in its description:
The IP of the requested resource (does a DNS query).
I'd like to confirm whether or not this property causes an additional DNS query to occur (will I be doubling DNS traffic)? Or will that lookup populate or leverage the DNS resolver cache in cases where traffic to the site is allowed and therefore not send more DNS traffic on the network?
I ran a few TCP dumps, and it appears that only one lookup is made. I tried with example.com, and got the following lookups performed:
02:54:23.051766 IP 192.168.1.201.46076 > 192.168.1.232.domain: 38943+ [1au] A? example.com. (40)
02:54:23.052492 IP 192.168.1.232.domain > 192.168.1.201.46076: 38943 1/13/1 A 126.96.36.199 (267)
02:54:23.236118 IP 192.168.1.201.46076 > 192.168.1.232.domain: 38944+ [1au] A? example.iana.org. (45)
02:54:23.879475 IP 192.168.1.232.domain > 192.168.1.201.46076: 38944 2/6/13 CNAME[|domain]
The second lookup is there becuase the example.com page redirects to the iana.org page.
Order of operation matters.
If you are blocking the site before you call the "URL.Destination.IP". Then no lookup will occur, and the property will not be filled. The same concept applies to a lot of things if you never check the categories, then MWG will not write them.
If you are having problems, please create a rule at the top of your ruleset that simply says:
-Name: Perform Lookup
-Criteria: URL.Desination.IP equals 188.8.131.52
This will cause the DNS lookup to occur and be filled for logging or block pages.
Can you post a screenshot?
I imagine this may occur because the DNS lookup is now done in the rule engine, rather than by the proxy, so the dashboard may be skewed as a result.