04-16-2014 03:49 PM
I have configured an session access-list for OCSP verification and I have defined a netdestination with all names (FQDNs) for the CA's CRL and OCSP url's. I have configured "ip name-server", and "ip domain lookup". And all seems to work well. But could someone please explain to me what is the controller doing in the backend when a session hits this ACL?
Does the controller do a DNS lookup everytime the OCSP rule is hit?
Does the controller then cash the various DNS lookpu results for the ocsp URL's?
Or is it possible that the controller is doing DNS snooping and determining the correct IP's from the DNS query results from the users during the OCSP checks?
## Example Confgurations:
ip access-list session GUEST-LOGON_ACL
any user svc-icmp permit log
user any udp 67 permit log
user alias Named_OCSP_List svc-http permit log
user any svc-http dst-nat 8080 log
user any svc-https dst-nat 8081 log
alias DHCP-Server user udp 68 permit log
user alias DNS-Server svc-dns permit log
Solved! Go to Solution.
04-16-2014 03:52 PM - edited 04-16-2014 04:05 PM
04-22-2014 07:46 AM - edited 04-22-2014 07:47 AM
Another question about it.
Does somebody know how and when that table entries get flushed (those visible with *show firewall dns-names*)?
Pretty strange that new IP addresses get added to a specific domain name and not substituted.
Am I missing something!?
Thanks in advance for you tips.
04-22-2014 08:52 AM
Those ip addresses are not used for forward lookups. They are used for reverse lookups. It is intended to see what ip address is resolved for a fqdn and then block/permit access to those ip addresses. If I want to block access to facebook.com, I need to know all of the ip addresses that it has resolved to, so I can block traffic to those ip addresses.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base