Users accessing internet sites via Cloud SWG using WSS Agent.
For security purposes, all DNS requests from the WSS Agent host are sent into Cloud SWG by enabling Split DNS.
Any domains that are included in Split DNS configuration cannot be accessed via Cloud SWG - connectivity related errors reported on browsers.
Disabling WSS Agent allows all sites to be reached.
Microsoft Defender enabled and allowing DNS responses from local DNS server.
Defender firewall is intercepting the traffic BEFORE the WSS Agent sees and translates the DNS responses, and dropping the response as a result as it does not match an allowed rule.
Create a rule within Defender Firewall allowing DNS responses from 126.96.36.199, when Split DNS is enabled.
The MS Defender logs showed DNS responses from 188.8.131.52 were being dropped on the local host e.g.
“2023-08-09 09:30:14 DROP UDP 184.108.40.206 10.85.15.197 53 63836 81 - - - - - - - RECEIVE 3052”
where 10.85.15.197 is the local IP address of the host.
The Split DNS setup sent all requests for the bcomnet.com domain to the local DNS server, and all DNS requests for other domains into Cloud SWG
Tracking the dropped DNS request in the Symdiag PCAPs, we see that the responses come back initially with the WSS Agent NATed IP address e.g. 10.228.231.149 and not the host IP address, and from the rewritten DNS server. After the WSS Agent processes the request and re-writes the IP addresses, the Application should see the correct IP addresses returned .
In our case, the Defender Firewall was intercepting the request before the DNS server IP address was rewritten, and dropped the DNS response as it did not come from the local DNS server.
Adding an allow rule to Defender allowed the response get back to the Application and all connectivity worked.