For Data Loss Prevention (DLP) installations there is a need to override the physical IP address of the site being monitored.
Typically, only dynamic content requests need to be re-directed (as opposed to requests for static information such as images, style sheets etc.). Many larger sites (e.g., Facebook) use a large number of separate host names to partition the static and dynamic data requests. For ease of maintenance, we recommend only overriding the host names within a domain (zone) that actually carry dynamic data.
The best way to override the DNS is to install a second DNS server specifically for that purpose. We recommend using the open source Unbound DNS server (https://nlnetlabs.nl/projects/unbound/about/). The Unbound DNS server has the ability to create DNS zones that are “transparent” (meaning that the DNS server will respond with the IP address of a host that has been defined within the server for a given domain, but if that host is not found, it will forward the host name to another DNS for resolution). This overcomes the problem of maintaining a large number of hosts in a monitored domain, when only a few need to be monitored.
Unbound comes in both Windows and Linux versions. Simply install it using the provided installers. Once the install is completed, you will need to configure it. The following is a sample configuration for monitoring Facebook and Twitter:
You will need to configure the access–control tags to map to internal IP addresses, you will need to set the Facebook and Twitter IP addresses to map to the IP address of the Composable Architecture Platform appliance and you will need to set the forward zone IP addresses to the IP address of the immediate upstream (ISP) DNS server.
Once the configuration has been set in the DNS server, we recommend testing it using lookups to login.facebook.com (it should resolve to the real IP address) and then another lookup to www.facebook.com (it should resolve to the Composable Architecture Platform appliance IP address).
You now have an authoritative DNS server for the sites you wish to monitor.
To make your standard internal DNS accept the overrides, you will need to define it as the authoritative DNSs for the sites monitored. The way to do this varies from DNS to DNS. As an example, this is how you would do it using Microsoft DNS:
In your Microsoft DNS, right-click the DNS itself, select properties and click on “Forwarders”. Add a forwarder named “facebook.com” and point it to the IP address of the Unbound DNS. Do the same for “twitter.com”. This will make sure that the Microsoft DNS resolves all domains (other than Facebook and Twitter) by going external, but for Facebook and Twitter it will ask the Unbound DNS instead.
Wait for the TTL to expire in the DNS (30 seconds or so) and then try pinging www.facebook.com – this should resolve to the Composable Architecture Platform appliance IP. Then ping login.facebook.com, and you should get the external address.
When installed as a DLP appliance, Composable Architecture Platform will be the server providing an SSL certificate for any monitored site. This means that users accessing a site over HTTPS will get a browser warning that the certificate provided does not match the accessed site. This is a normal and correct behaviour and helps to highlight to the end user that their interactions with the site are not confidential.
If the certificate warning is not desired, the SSL certificate used by Composable Architecture Platform should be installed into the browser as an exception.