DNS requests failing when WSS Agent host with Split DNS has Microsoft Defender enabled
search cancel

DNS requests failing when WSS Agent host with Split DNS has Microsoft Defender enabled

book

Article ID: 273774

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Users accessing internet sites via Cloud SWG using WSS Agent.

For security purposes, all DNS requests from the WSS Agent host are sent into Cloud SWG by enabling Split DNS.

Any domains that are included in Split DNS configuration cannot be accessed via Cloud SWG - connectivity related errors reported on browsers.

Disabling WSS Agent allows all sites to be reached.

Environment

WSS Agent.

Split DNS.

Microsoft Defender enabled and allowing DNS responses from local DNS server.

Cause

Defender firewall is intercepting the traffic BEFORE the WSS Agent sees and translates the DNS responses, and dropping the response as a result as it does not match an allowed rule.

 

Resolution

Create a rule within Defender Firewall allowing DNS responses from 199.19.250.205, when Split DNS is enabled.

Additional Information

The MS Defender logs showed DNS responses from 199.19.250.205 were being dropped on the local host e.g.

 “2023-08-09 09:30:14 DROP UDP 199.19.250.205 10.85.15.197 53 63836 81 - - - - - - - RECEIVE 3052”

where 10.85.15.197 is the local IP address of the host.

The Split DNS setup sent all requests for the bcomnet.com domain to the local DNS server, and all DNS requests for other domains into Cloud SWG

"splitDNS":
[
{"host":"example.com","ip":"10.1.254.1"},
{"host":"_default_","ip":"199.19.250.205"}
]

Tracking the dropped DNS request in the Symdiag PCAPs, we see that the responses come back initially with the WSS Agent NATed IP address e.g. 10.228.231.149 and not the host IP address, and from the rewritten DNS server. After the WSS Agent  processes the request and re-writes the IP addresses, the Application should see the correct IP addresses returned .

In our case, the Defender Firewall intercepted the request before the DNS server IP address was rewritten and dropped the DNS response as it did not come from the local DNS server.

Adding an allow rule to Defender allowed the response to get back to the Application and all connectivity worked.