Skip to main content
cmaheu
Staff
cmaheu
Staff
May 14, 2019

Technical Tip: Verify IP resolution of a domain when in isolation

  • May 14, 2019
  • 0 replies
  • 2939 views

Description

 
This article describes domain resolutions for isolated hosts. When a device is connected to an isolation VLAN (e.g., Registration, Quarantine, DeadEnd), the Server/Application Server acts as the DNS server. By default, DNS requests received from an isolated host are answered with the IP address of the respective isolation interface. However, if the request is for a domain listed in the Allowed Domains list, the request is forwarded to the customer's DNS server for resolution.
 
The allowed domains list can be viewed and modified via the Administration UI under System -> Settings -> Control -> Allowed Domains. Contents modified in this page are written to /var/named/chroot/etc/zones.common server configuration file.
 
If a device is not reaching a certain site when in isolation, it is possible to confirm which IP address the domain resolves.
 
Scope
 
FortiNAC.


Solution


Determine the IP address resolution of a particular domain by using the 'dig' command in the Server/Application Server CLI:


dig @<eth1 IP address> <domain>

 
Example 1: Domain not listed in the Allowed Domains List (zones.common).
 
Isolation interface IP = 192.168.23.2.
Domain: cnn.com.
 
cnn.com resolves to the isolation interface IP because it is not in the list:
 

dig @192.168.23.2 cnn.com

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> @192.168.23.2 cnn.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59534
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cnn.com.                       IN      A

;; ANSWER SECTION:
cnn.com.                30      IN      A       192.168.23.2

;; AUTHORITY SECTION:
.                       30      IN      NS      isol.bradfordnetworks.com.

;; ADDITIONAL SECTION:
isol.bradfordnetworks.com. 15   IN      A       192.168.23.2

 

The configuration file 'zones.common' does not list this domain. The content of this file can be checked with the following command:
 
grep -i cnn.com /var/named/chroot/etc/zones.common

Example 2: Domain is listed in the Allowed Domains List (zones.common).
 
Isolation interface IP = 172.16.99.2.
Domain: safebrowsing.google.com.
 
safebrowsing.google.com is listed in the list and therefore resolves to the actual IP address.
 

dig @172.16.99.2 safebrowsing.google.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @172.16.99.2 safebrowsing.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27255
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;safebrowsing.google.com.       IN      A

;; ANSWER SECTION:
safebrowsing.google.com. 10800  IN      CNAME   sb.l.google.com.
sb.l.google.com.        270     IN      A       172.217.8.174


The configuration file 'zones.common' has this domain listed. This can be verified with the following command:


grep -i safebrowsing.google.com /var/named/chroot/etc/zones.common
zone "safebrowsing.google.com" {

 

Related articles:

Troubleshooting Tip: DNS service for isolation network

Technical Tip: Troubleshooting domain resolution in the isolation network

    Terms & ConditionsAccessibility statement