TLS connection from clients to Umbrella IP range

techno.it · ‎11-15-2021

Hi Folks,

Just trying to understand the DNS query traffic flow. I have a client in the LAN segment configured with DNS pointing to VAs IP addresses, I have observed through Wireshark captures that the client makes SSL/TLS connections with a range of public addresses ( 146.112.0.0). Can someone explain what is happening here?

Rob Ingram · ‎11-15-2021

@techno.it there are several possibilities...

You've got the client installed on those computers?

https://docs.umbrella.com/umbrella-user-guide/docs/prerequisites-5#network-requirements

or a page was blocked and a connection to the umbrella block page was established.

https://docs.umbrella.com/deployment-umbrella/docs/block-page-ip-addresses

techno.it · ‎11-15-2021

@Rob Ingram

No umbrella client installed

No block page, website was allowed

Rob Ingram · ‎11-15-2021

https://docs.umbrella.com/deployment-umbrella/docs/testing-the-intelligent-proxy

If the IP address of "domain.com" comes back with an IP address within the range 146.112 / 16 (for example, 146.112.0.0 / 255.255.0.0), then it's being directed through the intelligent proxy.

techno.it · ‎11-15-2021

I would like to add something here that umbrella proxy seems to be intercepting only browser based requests but when client is making background DNS queries related to windows updates doesn't appear to be intercepted. Having said that, how would umbrella can prevent connection to remote C&C servers that may be initiated by compromised host?

Any ideas?

techno.it · ‎11-15-2021

It makes sense now. Thank you for the clarification. I appreciate it.

Rob Ingram · ‎11-16-2021

@techno.it I assume you are referring to the Intelligent Proxy? this does not proxy requests for domains that are known as safe or bad (such as C&C, malware or other malicious sites), it only proxies "grey" domains, which are classed as unknown. Umbrella would allow safe domains and block bad domains at the DNS layer without proxying.