Forum Discussion

Bogwitch's avatar
Bogwitch
Copper Contributor
Aug 27, 2020

ATP and APP proxy awareness

Hi All,

 

We have been told by our VAR that the ATP and APP client require Internet DNS lookup to operate, specifically for registration.

 

Our environment is secured by having a default route which is *NOT* the Internet (it's a switch in the Datacentre) and our Domain Controllers do not peer to the Internet for DNS resolution, all our Internet connectivity goes via a proxy.

 

It is true that ATP and APP require the DNS lookup and if so, what other communication will need to travel outside of the proxy?

 

Thanks in advance,

 


Bog

  • Bogwitch 

    See this:

    https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-proxy#enable-access-to-azure-atp-service-urls-in-the-proxy-server

    You need to be able to resolve the addresses mentioned there.

    You don't need to use an internet DNS as long as your local DNS knows how to forward those requests or resolve them correctly on its own.

    Notice not to use a local static resolution like hosts file to resolve that , as while it's rare, those IP addresses can change without notice to something else in the service tag range...

    • Bogwitch's avatar
      Bogwitch
      Copper Contributor

      EliOfek 

       

      Hi Eli,

       

      thanks for getting back to me. I'm a little confused as to why the DNS lookup is required. If the software is proxy aware, there should be no need for a DNS lookup as the proxy will perform to resolution.

       

      Our security model is one that greatly reduces the likelihood of a command and control or data exfiltration channel being established via DNS and we're keen to avoid reducing that stance.

       

      Is the IP address returned by the DNS lookup actually used for any requests? If so, are those requests direct (meaning we will need to create static routes to bypass the proxy) or are the IP addresses replacing the URL in the request that's sent to the proxy? 

       

      If the IP addresses are not used at all, why the DNS lookup and why would it be a problem if we simply resolved to BOGON addresses?

       

      Thanks,

       

      Bog

      • Bogwitch's avatar
        Bogwitch
        Copper Contributor

        Does anyone else have any insights here?

         

        thanks,

         

        Bog

         

Resources