ATP and APP proxy awareness

%3CLINGO-SUB%20id%3D%22lingo-sub-1615799%22%20slang%3D%22en-US%22%3EATP%20and%20APP%20proxy%20awareness%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1615799%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20been%20told%20by%20our%20VAR%20that%20the%20ATP%20and%20APP%20client%20require%20Internet%20DNS%20lookup%20to%20operate%2C%20specifically%20for%20registration.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20environment%20is%20secured%20by%20having%20a%20default%20route%20which%20is%20*NOT*%20the%20Internet%20(it's%20a%20switch%20in%20the%20Datacentre)%20and%20our%20Domain%20Controllers%20do%20not%20peer%20to%20the%20Internet%20for%20DNS%20resolution%2C%20all%20our%20Internet%20connectivity%20goes%20via%20a%20proxy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20true%20that%20ATP%20and%20APP%20require%20the%20DNS%20lookup%20and%20if%20so%2C%20what%20other%20communication%20will%20need%20to%20travel%20outside%20of%20the%20proxy%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EBog%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1615799%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EATP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eproxy%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1616147%22%20slang%3D%22en-US%22%3ERe%3A%20ATP%20and%20APP%20proxy%20awareness%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1616147%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F773091%22%20target%3D%22_blank%22%3E%40Bogwitch%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESee%20this%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fconfigure-proxy%23enable-access-to-azure-atp-service-urls-in-the-proxy-server%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fconfigure-proxy%23enable-access-to-azure-atp-service-urls-in-the-proxy-server%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EYou%20need%20to%20be%20able%20to%20resolve%20the%20addresses%20mentioned%20there.%3C%2FP%3E%0A%3CP%3EYou%20don't%20need%20to%20use%20an%20internet%20DNS%20as%20long%20as%20your%20local%20DNS%20knows%20how%20to%20forward%20those%20requests%20or%20resolve%20them%20correctly%20on%20its%20own.%3C%2FP%3E%0A%3CP%3ENotice%20not%20to%20use%20a%20local%20static%20resolution%20like%20hosts%20file%20to%20resolve%20that%20%2C%20as%20while%20it's%20rare%2C%20those%20IP%20addresses%20can%20change%20without%20notice%20to%20something%20else%20in%20the%20service%20tag%20range...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1618003%22%20slang%3D%22en-US%22%3ERe%3A%20ATP%20and%20APP%20proxy%20awareness%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1618003%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Eli%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%20for%20getting%20back%20to%20me.%20I'm%20a%20little%20confused%20as%20to%20why%20the%20DNS%20lookup%20is%20required.%20If%20the%20software%20is%20proxy%20aware%2C%20there%20should%20be%20no%20need%20for%20a%20DNS%20lookup%20as%20the%20proxy%20will%20perform%20to%20resolution.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20security%20model%20is%20one%20that%20greatly%20reduces%20the%20likelihood%20of%20a%20command%20and%20control%20or%20data%20exfiltration%20channel%20being%20established%20via%20DNS%20and%20we're%20keen%20to%20avoid%20reducing%20that%20stance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20the%20IP%20address%20returned%20by%20the%20DNS%20lookup%20actually%20used%20for%20any%20requests%3F%20If%20so%2C%20are%20those%20requests%20direct%20(meaning%20we%20will%20need%20to%20create%20static%20routes%20to%20bypass%20the%20proxy)%20or%20are%20the%20IP%20addresses%20replacing%20the%20URL%20in%20the%20request%20that's%20sent%20to%20the%20proxy%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20the%20IP%20addresses%20are%20not%20used%20at%20all%2C%20why%20the%20DNS%20lookup%20and%20why%20would%20it%20be%20a%20problem%20if%20we%20simply%20resolved%20to%20BOGON%20addresses%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBog%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1632014%22%20slang%3D%22en-US%22%3ERe%3A%20ATP%20and%20APP%20proxy%20awareness%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1632014%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20anyone%20else%20have%20any%20insights%20here%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBog%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi All,

 

We have been told by our VAR that the ATP and APP client require Internet DNS lookup to operate, specifically for registration.

 

Our environment is secured by having a default route which is *NOT* the Internet (it's a switch in the Datacentre) and our Domain Controllers do not peer to the Internet for DNS resolution, all our Internet connectivity goes via a proxy.

 

It is true that ATP and APP require the DNS lookup and if so, what other communication will need to travel outside of the proxy?

 

Thanks in advance,

 


Bog

3 Replies
Highlighted

@Bogwitch 

See this:

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-proxy#enable-access-to-a...

You need to be able to resolve the addresses mentioned there.

You don't need to use an internet DNS as long as your local DNS knows how to forward those requests or resolve them correctly on its own.

Notice not to use a local static resolution like hosts file to resolve that , as while it's rare, those IP addresses can change without notice to something else in the service tag range...

Highlighted

@Eli Ofek 

 

Hi Eli,

 

thanks for getting back to me. I'm a little confused as to why the DNS lookup is required. If the software is proxy aware, there should be no need for a DNS lookup as the proxy will perform to resolution.

 

Our security model is one that greatly reduces the likelihood of a command and control or data exfiltration channel being established via DNS and we're keen to avoid reducing that stance.

 

Is the IP address returned by the DNS lookup actually used for any requests? If so, are those requests direct (meaning we will need to create static routes to bypass the proxy) or are the IP addresses replacing the URL in the request that's sent to the proxy? 

 

If the IP addresses are not used at all, why the DNS lookup and why would it be a problem if we simply resolved to BOGON addresses?

 

Thanks,

 

Bog

Highlighted

Does anyone else have any insights here?

 

thanks,

 

Bog