Description
This article describes domain resolutions for isolated hosts. When a device is connected to an isolation VLAN (e.g., Registration, Quarantine, DeadEnd), the Server/Application Server acts as the DNS server. By default, DNS requests received from an isolated host are answered with the IP address of the respective isolation interface. However, if the request is for a domain listed in the Allowed Domains list, the request is forwarded to the customer's DNS server for resolution.
The allowed domains list can be viewed and modified via the Administration UI under
System -> Settings -> Control -> Allowed Domains. Contents modified in this page are written to
/var/named/chroot/etc/zones.common server configuration file.
If a device is not reaching a certain site when in isolation, it is possible to confirm which IP address the domain resolves.
Scope
FortiNAC.
Solution
Determine the IP address resolution of a particular domain by using the 'dig' command in the Server/Application Server CLI:
dig @<eth1 IP address> <domain>
Example 1: Domain not listed in the Allowed Domains List (zones.common).
Isolation interface IP = 192.168.23.2.
Domain: cnn.com.
cnn.com resolves to the isolation interface IP because it is not in the list:
dig @192.168.23.2 cnn.com
; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> @192.168.23.2 cnn.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59534
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cnn.com. IN A
;; ANSWER SECTION:
cnn.com. 30 IN A 192.168.23.2
;; AUTHORITY SECTION:
. 30 IN NS isol.bradfordnetworks.com.
;; ADDITIONAL SECTION:
isol.bradfordnetworks.com. 15 IN A 192.168.23.2
The configuration file 'zones.common' does not list this domain. The content of this file can be checked with the following command:
grep -i cnn.com /var/named/chroot/etc/zones.common
Example 2: Domain is listed in the Allowed Domains List (zones.common).
Isolation interface IP = 172.16.99.2.
Domain: safebrowsing.google.com.
safebrowsing.google.com is listed in the list and therefore resolves to the actual IP address.
dig @172.16.99.2 safebrowsing.google.com
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @172.16.99.2 safebrowsing.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27255
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;safebrowsing.google.com. IN A
;; ANSWER SECTION:
safebrowsing.google.com. 10800 IN CNAME sb.l.google.com.
sb.l.google.com. 270 IN A 172.217.8.174
The configuration file 'zones.common' has this domain listed. This can be verified with the following command:
grep -i safebrowsing.google.com /var/named/chroot/etc/zones.common
zone "safebrowsing.google.com" {
Related articles:
Troubleshooting Tip: DNS service for isolation network
Technical Tip: Troubleshooting domain resolution in the isolation network
