Name resolution Methods
Name Resolution Method
Name resolution method for windows HySecure client are
1. Namespace Service Provider (NSP)
2. Host File
3. DNS Server (if available/configured)
4. DNS Adapter change method
5. Hooking DLL (NON ADMIN CLIENT)
Namespace Service Provider
A namespace provider implements an interface mapping between the Winsock namespace SPI and the native programmatic interface of an existing name service such as DNS, X.500, or NetWare Directory Services (NDS)
Using the namespace service provider (NSP) is the default method for the name resolution in the windows client.
DNS query resolution from gateway
In NSP Mode addtional DNS query can be resolved using the Gateway query method. The DNS resolution query is read and Domain name is sent to Gateway for resolution. The response is cached and resolution is forwared.
Enforcement from HySecure Gateway:
NA - No Verinfo TAG to force use NSP Mode
Host File
The host file mechanism is to force the names/domainname/ of the applications served by HySecure VPN Service into the User’s Systems host file. This method modifies the host of the user’s machine and make changes there
Limitations:
• Required Admin privileges to make changes to host file.
• Name resolution and IP addresses are visible in the Host file
• Most of Systems in the enterprise do not allow to change the Host file. The activity is detected as suspicious and is discouraged to use.
Enforcement from HySecure Gateway:
Verinfo TAG : USECLIENTSIDEHOSTSFILE
| Value | Description | Is Default |
|---|---|---|
| true | Enforces the Use host file mode name resolution method | No |
| false | The Use of host file mode name resolution method is abandoned and fall backs to NSP or DNS (if available) | No |
| (BLANK) | Let the user decides what name resolution method is to be used. Does not enforce the selection. | Yes |
Adapter DNS change method (Deprecated)
- User logs in the HySecure Gateway using the Client.
- User received the List of Application accessible along with Name of application, IP address, Server domain Name (if any) and port associated with the application.
- In here we are changing the machines Network adapters DNS Address and putting “127.0.0.1” as the first DNS server for resolution.
DNS Server (If available/configured)
If administrator has published an application with port 53 and protocol is UDP then this mode can be selected by user or can be enforced by the administrator.
To enforce this method “VPN_NAMERESOLUTION_DNS_ENFORCED=true” should be set in the versioninfo file.
| Value | Description | Is Default |
|---|---|---|
| true | Enforces the Use host file mode name resolution method | No |
| false | The Use of host file mode name resolution method is abandoned and fall backs to NSP or DNS (if available) | No |
| (BLANK) | Let the user decides what name resolution method is to be used. Does not enforce the selection. | Yes |
DNS Packet Filtering
The Solution to redirect the DNS packets from the driver by registering the Callout for OUTBOUND_TRANSPORT Layer of IPv4 function to receive the outbound Transport layer traffic of DNS resolution, and modifying the remote address and local address of the IP packets.
When the Driver receive the TCP or UDP packets, the DNS cache of driver is checked for proxy to be done or not. If matched, the connection is redirected to Gateway to relay in the internal network.
Additional feature: Domain Name Suffix
DNS Suffix for redirection, an additional feature to make a name as fully qualified names (FQDN) and searchable then following tag is used to enforce an additional suffix in the Users systems network adapter. So whenever the name is searched in the system an additional queries are generated using the suffix present.
Domain Name Suffix : VPN_DOMAIN_NAME_REDIRECTION_SUFFIX
For eg.
VPN_DOMAIN_NAME_REDIRECTION_SUFFIX=ptplqa.local
There is an additional Suffix as “ptplqa.local” in the users system applied.
cmd > nslookup MYPC
Domain name query is generated for “MYPC.ptplqa.local”
cmd > nslookup mypc.accops.com
Domain name query is generated for “mypc.accops.com” and “mypc.accops.com.ptplqa.local” (TWO DNS queries are generated in here)
Limitation/Prerequisite:
- Admin must publish at least 1 UDP Application with port 53
VPN_NAMERESOLUTION_DNS_ENFORCEDshould be true OR “DNS Server if configured” Name resolution method must be selected by User.- LSP mode is not supported with this only Driver mode client is supported.
For More info about the DNS resolution method refer: Domain Name Resolution
Hooking method
This is the method that is being used in the case of NON-Admin client. Name resolution is done using the hook created for the getHostbyname method.
Version Info Tag :
NONE
Limitation:
Works with only NON admin client
Enforcing Name Resolution method
Fallback:
If no configuration is available or Driver Mode DNS is enforced:
1. Driver Mode if (Application with port 53 and protocol UDP) is published.
2. If not available, then NSP is selected
3. If NSP is not installed, then HOST file mode is selected.
If Host File is enforced from gateway, then Host file name resolution methods is selected even if the DNS application is published.
Note
VPN_NAMERESOLUTION_DNS_ENFORCED
USECLIENTSIDEHOSTSFILE
are two Tags using which Driver mode or Host file mode name resoultion can be enforced.
There is no way we can enforce NSP Mode.
FAQ
Is Non admin client support this feature
No, because WTSAddin requires admin privileges to register the virtual channel.
Logs to check
Search for "Enabling wts plugin"