Symantec Access Management

  • Private Community
Back to discussions
Expand all | Collapse all

Tech Tip : CA Single Sign-On : Web Agent :: ACO : DisableDNSLookup Precisions

  • 1.  Tech Tip : CA Single Sign-On : Web Agent :: ACO : DisableDNSLookup Precisions

    Broadcom Employee
    Posted Nov 18, 2016 10:43 AM

    Question :

     

    I would like to know:

     

        With DisableDNSLookup set to NO, does the Web Agent do a Reverse DNS Lookup when it receives a request with IP Address instead of a Fully Qualified Domain Name in the URL ?
        When DisableDNSLookup set to NO, how does the Web Agent do the reverse DNS Lookup ?
        Does DisableDNSLookup concerns also Direct DNS Lookup as requesting the IP Address from the FQDN ?

     

    Environment :

     

    SiteMinder 12.5 and above

     

    Answer:

     

    Here are the answers :

     

        Yes it does. And this is to prevent that behavior that the DisableDNSLookup=YES will disable these reverse dns requests
        We can see it by Web Agent logs and network traces :

     

        DisableDNSLookup=NO

     

        [05/30/2014][05:35:51][22507][1143875904]
        [CSmHttpPlugin.cpp:345][CSmHttpPlugin::ProcessResource]
        [0000000000000000000000000100007f-57eb-538850f7-442e2940
        -20911d680bbd][][][][][][Resolved HTTP_HOST:
        '10.130.210.102'.]
        [05/30/2014][05:35:51][22507][1143875904]
        [CSmHttpPlugin.cpp:3772][Entered CSmHttpPlugin::
        ResolveFQServerName sHost: ][][][][][][][10.130.210.102]
        [05/30/2014][05:35:51][22507][1143875904]
        [CSmHttpPlugin.cpp:426][CSmHttpPlugin::ProcessResource]
        [0000000000000000000000000100007f-57eb-538850f7-442e2940
        -20911d680bbd][][][][][][Resolved hostname:
        'duspa01-u117478.ca.com'.]

     

        372 8.522751 10.130.210.102 141.202.205.74
        DNS Standard query PTR 102.210.130.10.in-addr.arpa
        688 15.368671 141.202.205.74 10.130.210.102
        DNS Standard query response PTR duspa01-u117478.ca.com

     

        DisableDNSLookup=YES

     

        [05/30/2014][05:39:37][22617][1124198720]
        [CSmHttpPlugin.cpp:345][CSmHttpPlugin::
        ProcessResource][0000000000000000000000000100007f
        -5859-538851d9-4301e940-96f46700a385][][][][][]
        [Resolved HTTP_HOST: '10.130.210.102'.]
        [05/30/2014][05:39:37][22617][1124198720]
        [CSmHttpPlugin.cpp:3772][Entered CSmHttpPlugin::
        ResolveFQServerName sHost: ][][][][][][]
        [10.130.210.102]
        [05/30/2014][05:39:37][22617][1124198720]
        [CSmHttpPlugin.cpp:3848][CSmHttpPlugin::
        ResolveFQServerName: isIP][][][][][][]
        [10.130.210.102]
        [05/30/2014][05:39:37][22617][1124198720]
        [CSmHttpPlugin.cpp:3967][CSmHttpPlugin::
        ResolveFQServerName, DNSLookups disabled,
        checking to see if cookiedomain added!][]
        [][][][][][10.130.210.102]
        [05/30/2014][05:39:37][22617][1124198720]
        [CSmHttpPlugin.cpp:426][CSmHttpPlugin::
        ProcessResource][0000000000000000000000000100007f
        -5859-538851d9-4301e940-96f46700a385][][][][][]
        [Resolved hostname: '10.130.210.102'.]

     

        and no request in the network traces.
        Name and Addresses resolutions are done using the POSIX API :

     

        getaddrinfo() : to resolve IP Address from a FQDN
        getnameinfo() : to resolve FQDN from an IP Address
        No, it concerns only Reverse DNS Lookup.

     


    KB : TEC612510