Purpose of DNS steering in Steering config

  • 5 August 2023
  • 5 replies
  • 488 views

Badge +12
  • Explorer III
  • 45 replies

Hello, 

Wondering what is the use case for DNS steering in Steering config and How does it differ from "Use publisher DNS" in PrivateApps. 

 

 


5 replies

Userlevel 6
Badge +16

Hello @Siva

This controls whether you want the Netskope client to intercept DNS requests for applying DNS Security.  

https://docs.netskope.com/en/netskope-help/data-security/netskope-cloud-firewall/dns-security/

It only should impact DNS requests that aren't configured in NPA App Definitions and is intended for DNS requests to external domains.   One other benefit beyond applying controls (sinkholing requests to malicious domains, tunneling detection, etc)  to the DNS traffic is that outbound DNS requests from the machine are also logged which provides visibility. 

The "Use Publisher DNS" setting on private apps overrides the default behavior of NPA to resolve defined domains to a "stub IP" address that NPA steers.  Enabling this flag instead forwards requests to specified domains to the respective Publishers to get the real IP address of the hostname(s).  In general, hosts defined in NPA take the highest precedence in resolution and steering so DNS security should not impact NPA steering.  

Badge +12

Thanks Sam. Follow up question. 

 

Is there a way to override/bypass certain FQDN DNS request from being tunneled in to NPA? 

 

We have *.southshorehealth.org defined in NPA app to use publisher dns but would like server1.southshorehealth.org to go direct. I tired DNS steering exception but to your explanation above NPA is taking precedence.

Userlevel 6
Badge +16

Hello Siva, 

If it's defined by the wild card then all DNS requests for that app will be steered through NPA when Publisher DNS is enabled.  Is Publisher DNS required for the wildcard?  Are all the IP addresses for southshorehealth.org defined in NPA apps as well?  There are ways to force an exception but the DNS request will still be tunneled via NPA. 

Badge +12

Hi Sam, 

 

The wildcard is used to cover all resources with in the Corp network [eg: PCs and servers for RDP/Support tools by IT support teams]. Is there a alternative way to achieve this? 

 

Yes to IP addresses for southshorehealth.org defined in NPA apps.

Userlevel 6
Badge +16

Siva,


Does the specified app resolve differently for internal hosts vs external hosts?  If not, you can create a more specific app definition for server1.southshorehealth.org with Publisher DNS enabled.  If you don't define the IP address it resolves to in an app definition then it will resolve via NPA but the connection to the IP address it resolves to will not be steered to Netskope via Private Access (it may still go to the SWG if it's web traffic with a public IP address).  You must also ensure that the IP address is not included in other app definitions via CIDR blocks. 

Reply