New Features:
Domain Inspection & Control
Domain inspection is now available as a Network configuration. When enabled, Enforce will examine connections using the ports specified and attempt to extract domain information from the connection's data. Enforce can currently extract domain information from the Host header in HTTP connections and the SNI header in TLS and QUIC connections.
When domain inspection is disabled (the existing and default state for all networks) domain information is not extracted from connections, meaning they are blocked or allowed based only on the IPs.
Domain inspection does incur a small performance penalty; however, in typical environments it is expected to be negligible. If performance issues are experienced with domain inspection enabled, one of the following actions can be taken:
- Reduce the amount of traffic being inspected (via inspection ports and/or networks)
- Upgrade to faster hardware
- Disabled the feature on the impacted network
NOTE: It is best to update all Enforcers assigned to the Network to the latest Enforce build for full support of the feature.
Enable Domain Inspection:
Domain Inspection is enabled on a Network. Be sure the Enforcers assigned to the Network are updated to the latest Enforce Build for full support of the feature. To enable Domain Inspection on an existing network:
- Navigate to Enforce/Networks
- Select “Edit” from the ellipsis menu of the desired network
- Click on the Domain Inspection step in the Network Wizard
- To enable the feature, toggle the control to the right
- Select one of the following options from the Domain Inspection Type drop-down:
- Prefer IP (default selection)
- Prefer Domain
- Prefer Both
- Explicit
The Domain Inspection Type specifies how Enforce uses the IP and Domain policy verdicts to determine if a connection should be allowed or blocked. The table below shows the action taken by Enforce given the Domain Inspection Type, IP verdict, and Domain verdict. If a domain cannot be discovered from the connection after 5 packets, the IP verdict is enforced.
| Prefer IP | Domain Allow | Domain Block | Domain None | |
| IP Allow | Allow | Allow | Allow | |
| IP Block | Block | Block | Block | |
| Prefer Domain | Domain Allow | Domain Block | Domain None | |
| IP Allow | Allow | Block | Allow | |
| IP Block | Allow | Block | Allow | |
| Prefer Both | Domain Allow | Domain Block | Domain None | |
| IP Allow | Allow | Block | Allow | |
| IP Block | Block | Block | Block | |
| Explicit | Domain Allow | Domain Block | Domain None | |
| IP Allow | Allow | Block | Allow | |
| IP Block | Allow | Block | Block | |
Note: “Domain None” means the domain was not on an enabled Allow or Block list.
Domain Inspection Ports
Users can specify the TLS and HTTP ports that will be inspected for domain information. For TLS, it is typically TCP port 443 (added by default when the feature is enabled) and UDP port 443. For HTTP, the typical (and default added) is TCP port 80.
Users can delete the default Ports and/or add anything additional. Up to 16 entries can be made for each Inspection Port for a total of 32 entries.
Once the settings are made, click the Save button in the top right corner of the screen.
Domain Inspected Connections
When Domain Inspection is enabled, Enforce will need to allow the first few packets of a connection to attempt to extract the domain from the connection data. (This is only done for connections to ports specified in the Inspection Ports above). Even if a connection would be denied by IP, the initial few packets of the connection will be allowed. For example, if an IP would be blocked, but the domain causes it to be allowed, you would see IP logs like this. Note the reason is DOMAIN_INSPECT.
Domain logs will look like this:
If the connection ends up being blocked, you'll see logs like these:
The connection is initially allowed for domain inspection. Once the domain is extracted and the connection is determined to be blocked, the blocked log is generated.
Domain logs will look like this:
Domain Logs
Domain logs have a few additional fields:
- Type: this indicates the type of traffic the domain was detected in, i.e. DNS, HTTP, etc.
- The IP Verdict, Domain Verdict, and Domain Inspection Type are included to make it clear why this connection was blocked or allowed.
Authorized DNS Resolvers
Users can add up to 10 authorized DNS server IP addresses that hosts inside the network are allowed to make DNS requests to. Any requests on UDP port 53 to IPs other than those configured here will be blocked. If no IPs are configured, outbound DNS requests will be filtered according to the Policy applied to the Network (the behavior in Enforce builds 285 and earlier).
To add an authorized resolver, enter the applicable IP and click on the “+” button. Add any additional IPs (up to 10) and then click the Save button in the top right corner.
NOTE: We recommend verifying all Enforcers are using Authorized Resolvers before enabling this feature. Any host using unauthorized resolvers will likely no longer be able to resolve domains. This configuration can be made on the Enforcer by navigating to Network -> Admin Interface -> DNS tab.
DNS Answer IPs
Users can configure up to 4 IPs that could be returned in the DNS response when a DNS query is blocked. If no IPs are configured an NXDomain response is sent (the behavior in Enforce builds 285 and earlier).
To add IPs, enter the applicable IP and click on the “+” button. Add any additional IPs (up to 4) and then click the Save button in the top right corner.
Observed DNS Resolvers
When this feature is enabled, Enforce will track all unique DNS connections and report them to Portal. This functionality is valuable for identifying devices within the network that may have incorrect DNS settings due to misconfiguration or running malicious software that is making unauthorized DNS requests.
To enable this feature:
- Navigate to the Enforcers tab
- Click on the hyperlink of an Enforcer
- Click on the Resolver tab
- Enable the Report Observed Resolvers
- Click the Save button in the right corner
Once there is data to report back, it will display in the table:
Users can search by Source IP and Destination IP, and select one of the following time ranges:
- Last 30 minutes (default)
- Last Hour
- Yesterday
- Last Week
Comments
0 comments
Please sign in to leave a comment.