cancel
Showing results for 
Search instead for 
Did you mean: 
cscoup8
Level 9

URL.Destination.IP and DNS traffic

I'm looking at using the "URL.Destination.IP" property in a rule, which has the following in its description:

The IP of the requested resource (does a DNS query).

I'd like to confirm whether or not this property causes an additional DNS query to occur (will I be doubling DNS traffic)?  Or will that lookup populate or leverage the DNS resolver cache in cases where traffic to the site is allowed and therefore not send more DNS traffic on the network?

0 Kudos
10 Replies
andyclements
Level 12

Re: URL.Destination.IP and DNS traffic

I ran a few TCP dumps, and it appears that only one lookup is made.  I tried with example.com, and got the following lookups performed:

02:54:23.051766 IP 192.168.1.201.46076 > 192.168.1.232.domain: 38943+ [1au] A? example.com. (40)

02:54:23.052492 IP 192.168.1.232.domain > 192.168.1.201.46076: 38943 1/13/1 A 192.0.43.10 (267)

02:54:23.236118 IP 192.168.1.201.46076 > 192.168.1.232.domain: 38944+ [1au] A? example.iana.org. (45)

02:54:23.879475 IP 192.168.1.232.domain > 192.168.1.201.46076: 38944 2/6/13 CNAME[|domain]

The second lookup is there becuase the example.com page redirects to the iana.org page.

0 Kudos
jont717
Level 12

Re: URL.Destination.IP and DNS traffic

Just one lookup

0 Kudos
darkfell
Level 9

Re: URL.Destination.IP and DNS traffic

How i can add URL.Destination.IP in a template? Thx

0 Kudos
asabban
Level 17

Re: URL.Destination.IP and DNS traffic

You need to convert the type from IP to String:

IP.ToString(URL.Destination.IP)

Best,

Andre

0 Kudos
darkfell
Level 9

Re: URL.Destination.IP and DNS traffic

I tried, it doesn't work "URL: http://facebook.com/ (0.0.0.0)"

in access logs it works, and in templates - not working

Message was edited by: darkfell on 5/22/13 2:13:42 AM CDT
0 Kudos
McAfee Employee

Re: URL.Destination.IP and DNS traffic

Hi darkfell,

Order of operation matters.

If you are blocking the site before you call the "URL.Destination.IP". Then no lookup will occur, and the property will not be filled. The same concept applies to a lot of things if you never check the categories, then MWG will not write them.

If you are having problems, please create a rule at the top of your ruleset that simply says:

-Name: Perform Lookup

-Criteria: URL.Desination.IP equals 1.1.1.1

-Action: Continue

This will cause the DNS lookup to occur and be filled for logging or block pages.

Best,

Jon

darkfell
Level 9

Re: URL.Destination.IP and DNS traffic

Jon, thx for help

0 Kudos
darkfell
Level 9

Re: URL.Destination.IP and DNS traffic

if so doing, the graph "general perfomance" displays the incorrect response data dns

0 Kudos
McAfee Employee

Re: URL.Destination.IP and DNS traffic

Can you post a screenshot?

I imagine this may occur because the DNS lookup is now done in the rule engine, rather than by the proxy, so the dashboard may be skewed as a result.

Best,

Jon

0 Kudos