Troubleshooting Tip: Domain resolution in Isolation networks

khoffman · ‎03-05-2024

Description

This article describes how to troubleshoot domain resolution in the isolation networks (Isolation, Registration, Remediation...etc) to allow hosts to resolve specific domains from Isolation. Examples include, the ability to download AntiVirus/OS updates and SSL certificate validation.

When a device is connected to an isolation VLAN (e.g., Registration, Quarantine, DeadEnd), the NAC Server acts as the DNS server. Upon receipt of a DNS request from the isolated host, the appliance returns the IP address of the isolation interface (port 2) unless the domain is listed on the Allowed Domains page.

If a request for a domain listed in the Allowed Domains page is received, the appliance sends a request to the production DNS server for resolution.

To provide appropriate IP resolution to isolated devices for completing actions such as updating AV programs and SSL certificate authentication, this list should be updated as necessary.

Note:

The appliance does not act as a router or firewall. The host will use the existing network infrastructure to access the internet for AV and OS updates from the internet. FortiNAC only acts as the DNS server.

Scope

FortiNAC-F v7.X.

Solution

Step 1: Identify which domains resolve to the Isolation interface.

Login to the FortiNAC-F CLI as 'admin' and type:

execute enter-shell

Generate a list of domains resolving to the isolation interface. Run one of the following commands:

Option 1: Generates a list of domains that all isolated hosts attempting to access, type:

grep PassThru /bsc/logs/named.log | cut -d' ' -f11 | sort | uniq -c | sort -rg

Option 2: Generate a list of domains a specific isolated host attempted to access.

Example:

Review the resulting list. The most commonly attempted domains are at the top of the file along with the number of times the domain was attempted to be accessed unsuccessfully.

Output example (actual list will be much longer):

2556 udbn4b.centralus.cloudapp.azure.com
2276 www.msftconnecttest.com
1584 wu-bg-shim.trafficmanager.net

Step 2: Add Domains to the Allowed Domains List.

Note:

Avoid adding domains used for Captive Network Assistant and the domain name of the FortiNAC. This will impact how the portal is displayed and agent communication from the Isolation network.

Use the results from the previous step to determine which domains should be added to the Allowed Domains list for proper IP resolution. Depending upon company policies and configuration it may not be desirable to add all the missing domains.

For a list of domains, see the Domains to Add to Allowed Domains List reference manual in the Document Library.

Add the domains to the Allowed Domains List and save. For instructions see the section Allowed domains in the Administration Guide.
Verify the domain resolves to the appropriate IP address with the 'dig' command in the CLI. For instructions see KB article Verify IP resolution of a domain when in isolation.

Note:

The 'dig' command can be used to view the IP resolution of a specific domain, including any c-names used during resolution.

Those c-names should also added to the Allowed Domains List.

Step 3: Re-Test

Flush the DNS cache on the computer. This ensures new DNS queries are sent and the domain names added to the list are resolved properly.
Reconnect to the isolation network
Validate from the end station that the host is receiving the expected DNS response.

If the domain is being resolved but the host cannot access the domain, troubleshoot the Isolation network
If the domain is not resolved Return to step 1 (Identify domains that are not resolving) to re-evaluate.

Related article:
Troubleshooting Tip: Appliance domain in Allowed Domains List causes inconsistent agent communicatio...