ETP Client for DNS and risky web traffic

You can configure ETP Client to forward DNS and risky web traffic when these conditions apply:
  • ETP Proxy scans only risky traffic, and as a result, ETP Client forwards web traffic from risky domains. This traffic is forwarded to ETP Proxy. If you are licensed for ETP Advanced Threat, this version of the client is enabled when you select the bypass action for unclassified traffic. For more information, see Unclassified traffic.
  • ETP Proxy is not enabled. In this situation, ETP Client forwards only DNS traffic to ETP.

Regardless of configuration, ETP policy is applied to DNS requests that are made on machines inside and outside the corporate network.

ETP Client includes these capabilities:

  • Detects an end user's network conditions.
  • Sends DNS requests to ETP.
  • Applies an ETP policy and other configuration settings to DNS requests.
  • Logs user information. In ETP, user information appears on the event reporting pages when a policy is violated and an event is logged. ETP Client also includes its own logs. By default, ETP Client is set with the Info Only log type. This log type records system errors, while the Debug and Verbose log types record additional information, such as DNS lookup queries. For more information, see Troubleshoot logs.
  • Identifies clients by computer name. This information also means an enterprise may not need to deploy a security connector in their network to discover the machine name of an infected machine.
  • Privacy of DNS traffic with DNS over TLS (DoT). If DoT is enabled, communication between ETP Client and ETP DNS is encrypted. DoT is available in version 3.2.0 or later. This feature is currently in beta. For more information about DoT, see DNS over TLS.

After ETP Client is installed on end-user machines, it changes the system’s DNS settings and directs traffic to the localhost (127.0.0.1). This configuration allows ETP Client to act as a DNS proxy. As a result, all DNS traffic is directed to ETP Client for resolution.

ETP Client allows or blocks traffic based on ETP policy and its associated locations. If a policy is configured to redirect traffic to Enterprise Security Connector or a custom response, ETP Client may also redirect traffic to the IP address of Security Connector or the custom response.

To use ETP Client in your network, make sure these conditions apply:
  • ETP Client locations on the corporate network are configured in ETP. This includes public IP addresses of all exit points or gateways in the corporate network. These addresses allow ETP to identify the location where traffic is coming from and apply the policy that corresponds to this location.
  • When ETP Client is off the corporate network and connects from an IP address that is not configured as a location in ETP, the pre-defined Off Network ETP Clients location is applied.

You can also configure ETP Client to resolve internal domains with the DNS resolver on the corporate network. This is done without querying ETP DNS and requires that super administrators specify corporate domain suffixes in the client configuration.

In some networks, depending on whether a client is connecting from inside or outside the network, a split DNS topology is used to ensure that domains resolve to different public and private IP addresses. You can specify your internal corporate network IPv4 and IPv6 address ranges and DNS suffixes, which ETP Client prefers in case a split DNS domain resolves to multiple IP addresses.

Note: Security software such as a network firewall or adware and spyware removal programs may attempt to block ETP Client. To avoid this issue, access the settings of these programs and identify ETP Client as a safe or allowed application. Also, if client computers are installed with software that anonymizes DNS proxies, make sure you remove this software. This software likely bypasses ETP policy.

When an end user requests a domain:

  1. Requests are forwarded to the closest Akamai ETP DNS server. If DoT is enabled, these requests are encrypted with TLS.
  2. If the request is a threat, it’s blocked or forwarded to Enterprise Security Connector or a custom response. The policy configuration determines the specific policy action that's applied. These requests are not forwarded to local DNS resolvers.
  3. If the request is not a threat, it is also sent to the local DNS resolvers. While ETP can resolve safe requests as well, responses that belong to computers in the corporate network are preferred.
Note: Before distributing ETP Client throughout your network, make sure you test ETP Client in an environment that contains the same network configuration, VPN, and security applications as production.

When the client sends queries to ETP, it sends the request to the closest ETP DNS server. ETP returns an IP address that is in the closest geolocation to the client, providing optimal DNS resolution performance.