Netskope Global Technical Success (GTS)
KB - CAA DNS Record Impact on Netskope Interception Proxy
Netskope Cloud Version - 122
Objective
Evaluate the impact of CAA DNS Record on Netskope Interception Proxy
Context
DNS CAA records are used to specify which Certificate Authorities (CAs) are allowed to issue SSL/TLS certificates for your domain. It's a security feature to prevent unauthorized CAs from issuing certificates for your domain. This is more related to domain ownership and ensuring only trusted CAs issue certificates.
When using the Netskope SSL Interception Proxy, Netskope acts as an intermediary between the client and the server, decrypting SSL/TLS traffic and then re-encrypting it before forwarding it to the destination. To achieve this, Netskope installs its own certificate on the client to establish the encrypted connection. This process often raises questions from customers about whether the Netskope CA Certificate needs to be authorized for their own websites via CAA records, or how Netskope will handle websites that have CAA records in place.
Conclusion
CAA DNS Record only influences the issuance of certificates for your domain. As Netskope intercepts SSL traffic using its own certificate, this behavior is not directly affected by your DNS CAA entry.
Additionally, SSL Interception relies on the Netskope ability to present its own certificate. The only way you can present issues with this certificate, it’s if the Netskope Certificate is issued by an Untrusted CA or if the CA Certificate itself is untrusted for the client. This is a separate concern from CAA Records.
So, the CAA entry does not prevent SSL interception by proxies like Netskope, as long as the proxy is using its own CA for interception.
Demonstration
For testing purposes, the website marand.homes has been created. This website is hosted on GoDaddy, and a CAA record has been added to allow certificates to be issued for the domain exclusively by the GoDaddy CA.
By using a CAA Lookup Tool (https://www.entrust.com/es/resources/tools/caa-lookup) it was confirmed that the CAA Record was properly added.
The website marand.homes was then accessed from a device with the Netskope client installed and enabled. As shown below, the interception was successful, despite the presence of the CAA record.
Terms and Conditions
- All documented information undergoes testing and verification to ensure accuracy.
- In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.
- Please note that the website created for this KB was designed for testing purposes and may become unavailable at any time if accessed.
Notes
- This article is authored by Netskope Global Technical Success (GTS).
- For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.
