Network flow of DNS sinkhole

Depending on whether ETP Proxy is enabled or disabled, these network flows apply:

Network flow when ETP Proxy is enabled

  1. The end user requests a URL, and the first DNS resolution occurs:
    1. The browser makes a DNS request. The corporate network egress IP address is associated with a location configuration in ETP. As a result, the policy assigned to that location is applied.
    2. ETP identifies the domain as malicious. Based on a policy configuration, the malicious domain is resolved to the IP address of ETP Proxy.
  2. These steps apply to HTTP traffic:
    1. The browser sends the HTTP or HTTPS request to ETP Proxy. The corporate network egress IP address is associated with a location configuration in ETP. As a result, the policy assigned to that location is applied.
    2. ETP identifies the HTTP resource as malicious. Based on a policy configuration, the client is redirected to the security connector on the corporate network.
  3. Malicious HTTP and HTTPS requests that were directed to the proxy are redirected to Security Connector. The end user's machine sends a request to Security Connector.
    Note: HTTP and HTTPS traffic is redirected to Security Connector 2.5.0 or later.
  4. Security Connector collects the internal IP address of the end user's machine and other event information. Access to the malicious domain is blocked and the end user is redirected to the custom error page that corresponds to the threat type or category. For more information on error pages, see the Error pages help topic.
  5. Security Connector sends the internal IP address and other collected machine information to ETP. ETP Proxy and ETP DNS also sends information to ETP reporting. ETP reporting correlates data and shows the internal IP address and machine name in each threat event.

Network flow when ETP Proxy is disabled

  1. For a DNS request:
    1. An end user makes a DNS request. The corporate network egress IP address is associated with a location configuration in ETP. As a result, the policy assigned to that location is applied.
    2. ETP identifies the domain as malicious. Based on a policy configuration, the malicious domain is resolved to the IP address of the security connector on the corporate network.
  2. The end user’s machine sends a network request to Security Connector.
  3. Security Connector collects the internal IP address of the end user's machine and other event information. Access to the malicious domain is blocked and the end user is shown the Website Access is Prohibited custom error page. For more information on error pages, see the Error pages help topic.
  4. Security Connector sends the internal IP address and other collected machine information to ETP reporting. ETP DNS also sends information to ETP reporting where data correlation occurs. ETP reports show the internal IP address and machine name in each threat event.