Force local DNS lookup before performing dynamic categorization

book

Article ID: 184866

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

By default, the ProxySG appliance does not perform a DNS lookup before a dynamic real-time rating (DRTR) query when WebPulse is enabled. In this scenario, potentially malicious URLs--such as typosquatting URLs--may be sent to WebPulse for rating, which results in WebPulse performing DNS lookups for the URLs to determine their categories. Because the local (appliance's) DNS lookup is bypassed, the WebPulse request could allow the owner of the malicious URL to exfiltrate data from the request.

Resolution

To prevent this issue from occurring, write policy to disable DRTR when a specified DNS response is received. This policy ensures the dns_unresolved_hostname exception is returned by default instead of potentially showing a content_filter_denied exception (which would happen if a non-resolveable hostname URL triggers DRTR and returns a suspicious rating). 

Refer to the following policy examples:

; If any DNS failure occurs, do not perform DRTR and return the dns_unresolved_hostname exception 
url.has_address=no webpulse.categorize.mode(none)

; If DNS response is NXDOMAIN, do not perform DRTR and return the dns_unresolved_hostname exception 
url.has_address=nxdomain webpulse.categorize.mode(none)

; If any DNS failure occurs, do not perform DRTR and return the specified exception
​url.has_address=no exception(policy_denied,"DNS failure") webpulse.categorize.mode(none)

For more information on these CPL gestures, refer to the Content Policy Language Reference.