I have configured an session access-list for OCSP verification and I have defined a netdestination with all names (FQDNs) for the CA's CRL and OCSP url's. I have configured "ip name-server", and "ip domain lookup". And all seems to work well. But could someone please explain to me what is the controller doing in the backend when a session hits this ACL?
Does the controller do a DNS lookup everytime the OCSP rule is hit?
Does the controller then cash the various DNS lookpu results for the ocsp URL's?
Or is it possible that the controller is doing DNS snooping and determining the correct IP's from the DNS query results from the users during the OCSP checks?
## Example Confgurations:
!
netdestination Named_OCSP_List
name ocsp.ws.symantec.xom
name ocsp.geotrust.com
name ocsp.thawte.com
name oscp.verisign.com
name crl.verisign.com
name SVRIntl-G3-crl.verisign.com
!
!
ip access-list session GUEST-LOGON_ACL
any user svc-icmp permit log
user any udp 67 permit log
user alias Named_OCSP_List svc-http permit log
user any svc-http dst-nat 8080 log
user any svc-https dst-nat 8081 log
alias DHCP-Server user udp 68 permit log
user alias DNS-Server svc-dns permit log
!