5 Replies Latest reply on May 16, 2015 1:22 AM by mike18

    Transparent DNS and Source Endpoints

    mike18

      Hi Everyone,

       

      We are using the Transparent DNS and i need to configure ACL to allow DNS traffic from Source Enpoint to Destination Point.

      Destination end point we are using is our internal DNS server.

       

      Need to know which Source Enpoints i need to use one i know is firewall IP which we access via admin console?

       

      Regards

      Mike

        • 1. Re: Transparent DNS and Source Endpoints
          PhilM

          Assuming the source machines are located in a different burb/zone (because if they are in the same zone you don't need to create a rule), the factor that is going to determine how you create the rule is whether the destination is directly routeable from the source.

           

          e.g. if the source is located on the internet and you internal DNS server is located in a zone with a private address scope (192.168.x.x, 172.16.x.x or 10.x.x.x) then you will need to configure the source machine's DNS settings to use the Firewall's external IP address (or an alias on that interface) and then use the redirect host element in the rule to send the DNS traffic to the internally-hosted DNS server.

           

          Service = DNS

          Source burb/zone = external

          Destination burb/zone = external

          Source = address object(s)/group for the hosts allowed to use this service

          Destination = address object for Firewall external IP (or alias)

          Redirect host = address object for DNS server host

           

          If the source and destination hosts are routeable then it is simply a matter of creating a rule between the applicable source/destination zones for the DNS service with appropriate source/destination address restrictions.

           

          Hope that helps.

          -Phil.

          • 2. Re: Transparent DNS and Source Endpoints
            mike18

            Hi Phil,

             

            Under our current setup the user PC gets DNS from Internal DNS server

            Then if user PC traffic needs to go to Internet here is traffic flow

             

            PC----Switch---Internal DNS Server-------Switch----Mcafee firewall------Firewall ----Internet

             

            I check our existing Firewall and it has Transparent DNS  with Single Name server IP.

            But when i check the Rule on Firewall it has Source as  local host and SSH IP of firewall.

            Does localhost source means all DNS traffic originating from firewall ?

             

            This Rule has no hits.

            So does this mean users who are going to Internet there DNS is not done by the firewall?

             

            Regards

            Mike

            • 3. Re: Transparent DNS and Source Endpoints
              PhilM

              When the Firewall is configured to use transparent DNS, the IP address assigned in the DNS configuration screen is for the Firewall to use itself for resolving things such as hostname-based address objects.

               

              Based on your traffic flow, the client PCs are located on the same zone as the DNS server host, meaning there is no Firewall intervention at that point. The DNS server will resolve (or provide answers from its cache) as and when it can. Any requests requiring an external DNS host will come about either by performing root name lookups (the default mode fo Microsoft DNS servers, I believe) or by way of a specific forwarder address configured on that DNS server.

               

              Unless you have alternative routes to access the internet, the one conclusion we can draw from this is that if you are able to resolve internet hostnames without error and the firewall is running in transparent DNS mode then that request must be passing through the Firewall. If it isn't passing through the rule you think is should be using that would suggest there is another rule higher in the rule list which is allowing UDP port 53 traffic to pass from internal to external.

               

              You can use the Audit Viewer filtering to display DNS traffic passing through the Firewall and by opening one of these entries you should be able to see which rule it is actually using to pass this traffic.

               

              -Phil.

              • 4. Re: Transparent DNS and Source Endpoints
                mike18

                Hi Phil,

                 

                I checked there are few Host based Network Objects but they are not used in Access Control Policy.

                I can perform DNS lookup on the host based network object.

                When i filter by my PC IP i can see the logs traffic is going to Internet.

                 

                Requests for Internet is passing Via Firewall like my traffic goes via Internal to External Zone.

                 

                When i use Audit Viewer to Filter DNS traffic i did this

                 

                Custom

                Expression

                Filter builder

                src_ip 192.168.50.1 and src_zone internal and (application 'DNS'  )

                 

                I see no traffic at all even though i am browsing the internet.

                 

                When when i choose source and destination as any any zone

                 

                Then i see DNS traffic going from Source Zone DMZ   to Destination Zone   Internal.

                This traffic is from some source windows server to destination DNS  server.

                 

                Regards

                Mike

                • 5. Re: Transparent DNS and Source Endpoints
                  mike18

                  Many thanks Phil

                   

                  Regards

                   

                  Mike