6.7.6. Resolver policies

Resolver policies specify how a given service should resolve the domain names in client requests. This capability is essential when non-transparent services are used, as in these cases the PNS host has to determine the destination address, and the results of a name resolution are needed. Application-level Gateway is also able to store the addresses of often used domain names in a hash. Application-level Gateway supports DNS-based (DNSResolver) and Hash table-based (HashResolver) name resolution.

Figure 6.71. Resolver policies

DNSResolver policies query the domain name server used by Application-level Gateway in general to resolve domain names. If a domain name is associated to multiple IP addresses (that is, it has more than one 'A' records), these records can be retrieved by checking the Return multiple DNS records checkbox. (The DNS server used by the PNS host can be specified on the Resolver tab of the Networking component, see Section 5.3, Managing client-side name resolution for details.)

Tip
Retrieving multiple 'A' records is useful when Application-level Gateway is used to perform load balancing.

Example 6.15. Defining a Resolver policy
Python: Below is a simple DNSResolver policy enabled to return multiple 'A' records. ResolverPolicy(name="Mailservers", resolver=DNSResolver(multi=TRUE))

Example 6.15. Defining a Resolver policy

Python: Below is a simple DNSResolver policy enabled to return multiple 'A' records.

ResolverPolicy(name="Mailservers", resolver=DNSResolver(multi=TRUE))

HashResolver policies are used to locally store the IP addresses belonging to a domain name. A domain name (Hostname) and one or more corresponding IP addresses (Addresses) can be stored in a hash. If the domain name to be resolved is not included in the hash, the name resolution will fail. The HashResolver can be used to direct incoming connections to specific servers based on the target domain name.

Example 6.16. Using HashResolver to direct traffic to specific servers

Example 6.16. Using HashResolver to direct traffic to specific servers
If a PNS host is protecting a number of servers located in a DMZ, the connections can be easily directed to the proper server without a DNS query if the hostname – IP address pairs are stored in a HashResolver. If multiple IPs are associated with a hostname, simple fail-over functionality can be realized by using FailOverChainer. The resolver policy below associates the IP addresses `192.168.1.12` and `192.168.1.13` with the `mail.example.com` domain name. Figure 6.72. Defining a new HashResolver Python: ResolverPolicy(name="DMZ", resolver=HashResolver(mapping={"mail.example.com":\ ("192.168.1.12", "192.168.1.13")}))

If a PNS host is protecting a number of servers located in a DMZ, the connections can be easily directed to the proper server without a DNS query if the hostname – IP address pairs are stored in a HashResolver. If multiple IPs are associated with a hostname, simple fail-over functionality can be realized by using FailOverChainer.

The resolver policy below associates the IP addresses 192.168.1.12 and 192.168.1.13 with the mail.example.com domain name.

Figure 6.72. Defining a new HashResolver

Python:
ResolverPolicy(name="DMZ", resolver=HashResolver(mapping={"mail.example.com":\
("192.168.1.12", "192.168.1.13")}))

Previous	Up	Next
	Home

Proxedo Network Security Suite 1.0 Administrator Guide

6.7. Policies

6.7.6. Resolver policies