Create exceptions with Cloud SWG DNS Proxy and the 'in-addr.arpa' Pseudo-Domain"
search cancel

Create exceptions with Cloud SWG DNS Proxy and the 'in-addr.arpa' Pseudo-Domain"

book

Article ID: 366895

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Users are unable to do a DNS PTR lookup when using Symantec Agents with Cloud SWG DNS proxy enabled.

Environment

Cloud SWG with DNS Proxy.

Symantec Agents : Enterprise Agent, WSS Agent, SEP Agent Tunnel Mode.

Cause

The default setting of DNS proxy doesn't automatically bypass private domains/IP because it lacks knowledge of these domains/IP.

Maintaining internal reverse DNS servers is not a common practice for many.

Resolution

To exempt reverse DNS lookups effectively, it's essential to utilize the appropriate "in-addr.arpa" address. See Private network under additional information

For instance, exempting "28.172.in-addr.arpa" will directly route any reverse DNS request for addresses within the 172.28.x.x range, bypassing the DNS proxy altogether.

This approach ensures that internal reverse DNS queries are handled efficiently and without unnecessary proxying, optimizing network performance and reliability.

In the Cloud SWG Portal > Connectivity > DNS Exemptions > Add

You will need to add the require  "in-addr.arpa" internal address.

0.10.in-addr.arpa
168.192.in-addr.arpa

16.172.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa

Note: You will need to do this if you are maintaining internal reverse DNS servers. As a result, these domains are often treated as DNS zone files internally, resulting in exemptions for everything under them.

Additional Information