Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff

Created on ‎05-14-2019 07:31 AM

Article Id 194924

Technical Note: Verify IP resolution of a domain when in isolation

Description
When a device is connected to an isolation VLAN (e.g., Registration, Quarantine, DeadEnd), the Server/Application Server acts as the DNS server.  By default, DNS requests received from an isolated host are answered with the IP address of the respective isolation interface.  However, if the request is for a domain listed in the Allowed Domains list, the request is forwarded to the customer's DNS server for resolution.

The Allowed Domains list can be viewed and modified via the Administration UI under System > Settings > Control > Allowed Domains.  Contents modified in this page are written to /var/named/chroot/etc/zones.common in the Server/Application Server.

If a device is not reaching a certain site when in isolation, it is possible to confirm which IP address the domain resolves.  



Solution
Determine the IP address resolution of a particular domain by using the "dig" command in the Server/Application Server CLI:

dig @<eth1 IP address> <domain>


Example: Domain not listed in the Allowed Domains List (zones.common)
Isolation interface IP = 192.168.23.2
Domain: cnn.com

cnn.com resolves to the isolation interface IP because it is not in the list...

dig @192.168.23.2 cnn.com

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> @192.168.23.2 cnn.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59534
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cnn.com.                       IN      A

;; ANSWER SECTION:
cnn.com.                30      IN      A       192.168.23.2

;; AUTHORITY SECTION:
.                       30      IN      NS      isol.bradfordnetworks.com.

;; ADDITIONAL SECTION:
isol.bradfordnetworks.com. 15   IN      A       192.168.23.2


zones.common does not list this domain:
grep -i cnn.com /var/named/chroot/etc/zones.common




Example: Domain is listed in the Allowed Domains List (zones.common)
Isolation interface IP = 172.16.99.2
Domain: safebrowsing.google.com

safebrowsing.google.com is listed in the listed and therefore resolves to the actual IP address...

> dig @172.16.99.2 safebrowsing.google.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @172.16.99.2 safebrowsing.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27255
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;safebrowsing.google.com.       IN      A

;; ANSWER SECTION:
safebrowsing.google.com. 10800  IN      CNAME   sb.l.google.com.
sb.l.google.com.        270     IN      A       172.217.8.174



zones.common lists this domain:
grep -i safebrowsing.google.com /var/named/chroot/etc/zones.common
        zone "safebrowsing.google.com" {



Labels:
2176
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.