Domain Name resolution
Domain Name Resolution from Gateway
In the HySecure Client module the functionality to redirect the TCP traffic and UDP on the secure channel was available and it had solved most of the use cases of the client. But the HySecure lacked in providing the solution filtered DNS resolution. To provide the filtered DNS resolution it is needed to handle the DNS queries and filter the DNS query and send it to the gateway for the resolution.
DNS Packet Filtering
The Solution to redirect the DNS packets from the PC from the driver by registering the Callout for OUTBOUND_TRANSPORT Layer of IPv4 function to receive the outbound Transport layer traffic of DNS resolution, and modifying the remote address and local address of the IP packets.
When the Driver receive the TCP or UDP packets, the DNS cache of driver is checked for proxy to be done or not. If matched, the connection is redirected to Gateway to relay in the internal network.
Configurations:
For this mode to work we need following configurations to be done at the gateway level: 1. Disable the force LSP mode (By default it is not enabled) 2. Enforce the domain name resolution using the driver or User should select the mode. 3. Provide the DNS Filter list. 4. Atleast one DNS Server with UDP port 53 is required be published as Application for the users.
| Preference | Verinfo Tag | Details |
|---|---|---|
| 1 | DNS_BYPASS_LIST | Matching queries are bypassed from any policy matching |
2|DNS_REDIRECT_LIST| Matching domain name queries are redirected to the published application gateway 3|DNS_BLOCKED_LIST| Matching queries are blocked and not allowed any resolution for these queries. 4|DNS_ALLOWED_LIST| Matching domain queries are allowed to follow the normal path of execution.
DNS Query Flow:
- Once the HySecure start it will share the list of DNS filter to the driver.
- Driver will start filtering the DNS queries.
- The driver will read the internal question from the DNS queries and matches the DNS filter list received.
-
If REDIRECT filter list is matched.
- the DNS query will be redirected to the Local Port where the HySecure is listening on port 53
- HySecure Client will get the resolution from the HySecure Gateway through secure channel.
- Once the resolution had happened and the HySecure Client will Send the response
- The received response will be read by Driver and cache the response and update the Connection filter list.
- Driver will send the response to the intended application.
-
If BLOCKED filter list is matched.
- Driver Drops the packet for the DNS query.
- If ALLOWED filter list is matched.
- DNS query won’t be blocked or redirected. The packet will follow the normal path to resolve the query.
DNS Query Filters
The HySecure provides a way to filter the DNS queries and apply the action on the packet. Following are the ways for DNS query filter applicable. It supports only prefix as “*” to identify the wildcard characters.
If filter string contains only “*” then filter action is applied on all the queries received. The filters are defined in the VERINFO.JS file of gateway and following tags are used to define the filters.
DNS_ALLOWED_LIST=*
DNS_REDIRECT_LIST=*facebook.com,*accops.com
DNS_BLOCKED_LIST=*ptplqa.local,*ptplqa
DNS_BYPASS_LIST=nomail.com
Bypass filter for DNS Query
When a DNS query is received a driver, it will be bypassed i.e. allowed to take the normal flow path for the DNS query.
| - | - | Remarks |
|---|---|---|
| Character limit per record | 255 characters | |
| No of records can have | No Limit | Recommended Is to have 5 records |
| TAG NAME in VERINFO | DNS_BYPASS_LIST | |
| Separator | Comma ie “,” | NO other separator will work |
Redirect filter for DNS query.
The driver will read the DNS question and match the filters, if redirect filter is matched then the query is redirected to HySecure Client which in turn will send to gateway for resolution.
Please Note that: if the dns question matches any of the application name the DNS response will be sent immediately.
| - | - | Remarks |
|---|---|---|
| Character limit per record | 255 characters | |
| No of records can have | No Limit | Recommended Is to have 5 records |
| TAG NAME in VERINFO | DNS_REDIRECT_LIST | Example DNS_REDIRECT_LIST=*ptplqa.local,accops.com |
| Separator | Comma ie “,” | NO other separator will work |
Block non-Filtered DNS traffic
If the DNS query contains question for blocked domain name filter the DNS query will be dropped and won’t be resolved.
| - | - | Remarks |
|---|---|---|
| Character limit per record | 255 characters | |
| No of records can have | No Limit | Recommended Is to have 5 records |
| TAG NAME in VERINFO | DNS_BLOCK_LIST | Example DNS_BLOCK_LIST=*facebook.com,welcome.accops.com |
| Separator | Comma ie “,” |
Allow DNS Query to take the normal route
In this case if the DNS query does not match the Redirected and blocked list then the query won’t be touched.
If the DNS question does not match the filter list it will block the query for further processing.
| - | - | Remarks |
|---|---|---|
| Character limit per record | 255 characters | |
| No of records can have | No Limit | Recommended Is to have 5 records |
| TAG NAME in VERINFO | DNS_ALLOWED_LIST | Example DNS_ALLOWED_LIST=*goolge.com,live.accops.com |
| Separator | Comma ie “,” |
HySecure Driver DNS Resolution Cases
| No. | Redirect | Blocked | Allowed | Output |
|---|---|---|---|---|
| 1 | Live.accops.com | FaceBook.com | Google.com | Google.com traffic is allowed through the internet. Facebook.com traffic is blocked through internet. Live.accops.com traffic by any IP address should be redirected to the HySecure Gateway. |
| 2 | Live.accops.com | * | Amazon.com | If not live.accops.com entire DNS traffic is blocked. |
| 3 | *accops.com | NA | * | Redirect only the DNS query for domain that matches accops.com to gateway. |
| 4 | NA | NA | NA | NON DNS MODE. The DNS quries are allowed to follow the normal path |
| 5 | * | NA | NA | Redirect the entire DNS traffic through gateway. |
Dependencies and Change Impacts
System Dependencies
HySecure should be running in the Driver mode to capture and redirect the UDP traffic of all the applications in the Users System.
LSP in HySecure has limitation where LSP could not be loaded in the Privileged applications such as Edge Browser, System Processes, Application running as Service etc. If the HySecure is running in the LSP mode, then the applications where the LSP module is loaded only those application’s UDP traffic will be captured and redirected.
Change Impacts
UDP Traffic from the System generated by any application is captured by HySecure and redirected to HySecure Gateway for the correct endpoint.
HySecure Server Configurations
For Driver Mode in DNS packet redirection mode following changes are required to be done at HySecure gateway end.
Domain Name in the application
Need to have domain name in the application configuration when received from the gateway to identify the dynamic IP for the domain name.
Publishing Application as DNS Gateway
Can a DNS application by default present in the gateway to resolve the DNS names? It can have the gateway filters.
List of Allowed, Blocked and redirected domain names.
When received and DNS type of application from gateway can they provide the filter list. Currently the filter list is in Verinfo file.
References and Debugging Tools
- NSLOOKUP
- DIG
- DebugView
- Wireshark
- RawCap.exe
- ProcessMonitor.exe
- ProcessExporer.exe
- iPerf
Terms/Acronyms and Definitions
| Term/Acronym | Description |
|---|---|
| LSP | Layer Service Provider |
| NSP | Namespace Service Provider |
| Driver | Windows network filter driver (32/64) |
FAQ
*Is IPv6 Addresses Supported?*
No
*Is Network type DNS application supported?*
No
*Why DNS Suffix configuration is required?*
DNS suffixes are pushed in the system to generate a FQDN query when non-FQDN name is searched.
For E.g.
Suffix: ptplqa.local
Redirection for : *ptplqa.local
1. Tally-PC is searched in the system a FQDN for it is actually Tally-PC.ptplqa.local. So for this putting in place ptplqa.local suffix in the system is required.
2. When an Application is accessed using the Application Name ie "TALLY_APP" the query is generated as "TALLY_APP.PTPLQA.LOCAL" and it is redirected to the HySecure Client which checks first in the Application list if it matches and resolves the query then and there itself.
*How Appl*