Log in

Sangfor Support Center

Table of Contents
< All Topics
Print

[AF] Domain names added to AF Blacklist are not effective because DNS lookup does not go through AF

Posted
Updated
Byadmin
Views4

Problem Description

Session Initiation Protocol links AF to block the domain name. The domain name has been added to the AF Blacklist, but the intranet can still access the domain name website

Warning Info

N/A

Effective troubleshooting steps

  1. Add the IP Address of the domain name resolution to the AF Blacklist for testing Medium take effect. The corresponding domain name access cannot be accessed.
  2. Check the DNS cache of the computer: ipconfig/displaydns, and confirm that there is a DNS cache record for the corresponding domain name on the computer.
  3. Clear the DNS cache of the computer: ipconfig/flushdns, test that the domain name can still be accessed
  4. Check the computer DNS server record: nslookup, confirm that there is a DNS server Sensitive the Services
  5. Ask the client to clear the cache records of the intranet DNS server and test again. If the domain name website cannot be opened, Blacklist will take effect.

Root cause

Adding a domain name to AF's Blacklist actually blocks the IP Address. The DNS lookup data of the corresponding domain name needs to pass through AF before Blacklist can take effect.
The intranet already has a DNS cache for the corresponding domain name. AF recognizes the requesting IP Address but cannot recognize the corresponding domain name.

solution

  1. Temporary solution: Add the IP Address of the domain name resolution back to the Blacklist to block data access
  2. Permanent solution: You can place the DNS server outside AF, let the intranet computer request DNS data through AF, and Blacklist will take effect

Operation Impact Scope

  1. The IPs added to the Blacklist by AF cannot be accessed from the intranet. Please operate with caution.
  2. Clearing the DNS cache of the computer needs to be explained to the customer in advance to avoid affecting the normal resolution and access of other domain names

Is this a temporary solution?

Temporary solution: Add the IP Address of the domain name resolution back to the Blacklist to block data access

Suggestions and Conclusion

Starting from the standard version AF8.0.32, AF Blacklist supports adding domain names.

Troubleshooting content

N/A

Original Link

https://support.sangfor.com.cn/cases/list?product_id=13&type=1&category_id=1638&isOpen=true