By default, the ProxySG appliance does not perform a DNS lookup before a dynamic real-time rating (DRTR) query when WebPulse is enabled. In this scenario, potentially malicious URLs--such as typosquatting URLs--may be sent to WebPulse for rating, which results in WebPulse performing DNS lookups for the URLs to determine their categories. Because the local (appliance's) DNS lookup is bypassed, the WebPulse request could allow the owner of the malicious URL to exfiltrate data from the request.
To prevent this issue from occurring, write policy to disable DRTR when a specified DNS response is received. This policy ensures the
dns_unresolved_hostname exception is returned by default instead of potentially showing a
content_filter_denied exception (which would happen if a non-resolveable hostname URL triggers DRTR and returns a suspicious rating).
Refer to the following policy examples:
; If any DNS failure occurs, do not perform DRTR and return the dns_unresolved_hostname exception
; If DNS response is NXDOMAIN, do not perform DRTR and return the dns_unresolved_hostname exception
; If any DNS failure occurs, do not perform DRTR and return the specified exception
url.has_address=no exception(policy_denied,"DNS failure") webpulse.categorize.mode(none)
For more information on these CPL gestures, refer to the Content Policy Language Reference.