Cannot bypass Google sites using WSS Agent
Article ID: 263232
Updated On:
Products
Issue/Introduction
Users accessing internet via Cloud SWG using WSS Agents.
Despite bypassing google.com sites, Cloud SWG reporting indicates a huge volume of requests into these sites as shown below:
Only seems to impact local users that are configured to send DNS traffic into Google DNS servers.
Environment
WSS Agents on Windows and MacOS.
Chrome browsers.
DNS-Over-HTTPS (DoH).
QUICK protocol enabled.
Cause
WSS Agent cannot snoop on DNS A responses to determine whether domain needs to be bypassed.
Resolution
If using Google DNS servers, disable QUIC and DNS over HTTPS protocols for DNS resolution, and make sure that DNS A records are visible on the wire.
Else use a local DNS server that sends back A records, or send into Cloud SWG DNS proxy service.
Additional Information
WSS Agent must be able to snoop DNS responses in order to verify whether domain bypassed apply to outgoing requests.
With DNS-over-HTTPS (DoH), the DNS requests are encrypted and cannot be viewed on the wire. After initially disabling DoH on the WSS Agent host, we still had the issue and found that client was using QUIC protocol for resolution ..
With QUIC protocol, DNS requests into Google are also not seen by the WSS Agent, and cannot be bypassed successfully. The following interaction shows the DNS requests to Google DNS service, which are not standard DNS A records that the Agent is parsing for:
Disabling QUIC addressed the issue.
An alternative to this would be to send DNS requests to a local DNS server, into into Cloud SWG for resolution with the DNS proxy solution - APIs are available to push Split DNS directives out to the WSS Agents, so that they send their DNS traffic into Cloud SWG and not to a local DNS server.
Who is considering DoH?
Mozilla Firefox
What’s next in making Encrypted DNS-over-HTTPS the Default
Configuring Networks to Disable DNS over HTTPS
Chrome
Google to Experiment 'DNS over HTTPS' (DoH) Feature in Chrome 78
Feedback
