ETP Client for DNS only

You can configure ETP Client to forward DNS traffic when these conditions apply:

  • ETP Proxy is enabled as a selective proxy.

  • ETP Proxy is not enabled. In this situation, ETP Client forwards only DNS traffic to ETP.

Regardless of configuration, ETP policy is applied to DNS requests that are made on devices inside and outside the corporate network.

After ETP Client is installed, it changes the system's DNS and if configured to do so, the proxy settings. ETP Client directs traffic to the localhost (127.0.0.1). This configuration allows ETP Client to act as a DNS proxy. As a result, all DNS traffic is directed to ETP Client for resolution.

ETP Client allows or blocks traffic based on ETP policy and its associated locations. If a policy is configured to redirect traffic to Enterprise Security Connector or a custom response, ETP Client may also redirect traffic to the IP address of Security Connector or the custom response.

To use ETP Client in your network, make sure these conditions apply:

  • ETP Client locations on the corporate network are configured in ETP. This includes public IP addresses of all exit points or gateways in the corporate network. These addresses allow ETP to identify the location where traffic is coming from and apply the policy that corresponds to this location.

  • When ETP Client is off the corporate network and connects from an IP address that is not configured as a location in ETP, the pre-defined Off Network ETP Clients location is applied.

You can also configure ETP Client to resolve internal domains with the DNS resolver on the corporate network. This is done without querying ETP DNS and requires that super administrators specify corporate domain suffixes in the client configuration.

In some networks, depending on whether a client is connecting from inside or outside the network, a split-horizon DNS topology is used to ensure that domains resolve to different public and private IP addresses. You can specify your internal corporate network IPv4 and IPv6 address ranges and DNS suffixes, which ETP Client prefers in case a split DNS domain resolves to multiple IP addresses with different DNS resolvers.

📘

Security software such as a network firewall or adware and spyware removal programs may attempt to block ETP Client. To avoid this issue, access the settings of these programs and identify ETP Client as a safe or allowed application. Also, if client computers are installed with software that anonymizes DNS proxies, make sure you remove this software. This software likely bypasses ETP policy.

When an end user requests a domain:

  1. Requests are forwarded to the closest ​Akamai​ ETP DNS server. If DoT is enabled, these requests are encrypted with TLS.

  2. If the request is a threat, it's blocked or forwarded to Enterprise Security Connector or a custom response. The policy configuration determines the specific policy action that's applied. These requests are not forwarded to local DNS resolvers.

  3. If the request is not a threat, it is also sent to the local DNS resolvers. While ETP can resolve safe requests as well, responses that belong to computers in the corporate network are preferred.

📘

Before distributing ETP Client throughout your network, make sure you test ETP Client in an environment that contains the same network configuration, VPN, and security applications as production.

When the client sends queries to ETP, it sends the request to the closest ETP DNS server. ETP returns an IP address that is in the closest geolocation to the client, providing optimal DNS resolution performance.

Network flow

These sections describe how ETP Client resolves an allowed domain in different network topologies:

In all these scenarios, ETP Client provides optimal internet routing. For more information see Optimized Internet routing.

📘

In these scenarios, ETP Proxy is not enabled.

On corporate network

This graphic is an example of how ETP Client functions when it's on a corporate network:

These steps apply:

  1. Requests are directed to ETP DNS. If DNS over TLS is enabled, requests are encrypted with TLS.

  2. If a threat is detected, ETP Client handles the request based on the policy configuration. For example, if a threat category is assigned the block action with an error page response, the request is resolved to the IP address of the Website Access Prohibited error page. This page does not include any of the customization that is configured for error pages in ETP.

  3. If no threat is detected, requests are forwarded to the corporate (local) DNS resolver for resolution. Requests to websites in the internal network are resolved by the corporate resolver. If a domain is not resolved by the corporate DNS resolver, it is resolved by ETP.

Off-corporate network

This graphic is an example of how ETP Client functions when it's running off the corporate network:

When the ETP Client is on a visiting network or off the corporate network, a similar network topology applies:

  1. Off-network requests are directed to ETP DNS. If DNS over TLS is enabled, requests are encrypted with TLS.

  2. If a threat is detected, ETP Client handles the request based on the policy configuration. For example, if a threat category is assigned the block action with a refused response as the response to users, the request is blocked and a browser-specific error page appears.

  3. If no threat is detected, requests are forwarded to the local DNS resolver for resolution. Requests to websites in the internal network are resolved by the local resolver. If a domain is not resolved by the local resolver, it is resolved by ETP.

📘

If a user is visiting a network, ETP Client applies the policy of the user's corporate network. It does not apply the policy of the visiting network. In this case, the policy associated with the Off Network ETP Clients location in the user's corporate network takes effect.

Split VPN tunnel

This graphic shows ETP Client on a network with a split VPN tunnel. This scenario allows end users to securely access resources on a corporate and visited network, while also accessing the Internet through an existing local Internet breakout:

📘

To configure a split VPN tunnel, you need to configure your VPN to allow connections to the localhost (127.0.0.1). See your VPN application's documentation for more information.

These steps apply:

  1. Requests are directed to ETP DNS. If DNS over TLS is enabled, requests are encrypted with TLS.

  2. If a threat is detected, ETP Client handles the request based on the policy configuration. For example, if a threat category is assigned the block action with a refused response as the response to users, the request is blocked and a browser-specific error page appears.

  3. If no threat is detected, requests are directed to the VPN. Through the VPN, requests are forwarded to the corporate DNS resolver. If requests are not resolved by the corporate DNS resolver, they are resolved by ETP.

Optimized Internet routing

This graphic shows how ETP Client sends requests to the ETP DNS server that is in the closest geographical region, even if the visited network has no local DNS Resolver. Regardless of network topology, ETP returns the IP address of the origin server that is in the geographical proximity to ETP Client:

For example, in this graphic, requests to the Internet are directed to the ETP DNS server that is in the closest geographical location to the Visited Network (Australia). ETP is then able to return an IP address of the origin that is local to this region, allowing ETP Client to connect to the closest origin server (for example, the Australian website).

Without ETP Client, requests would go to the resolver in the United States and return the US version of the website, resulting in the end user in Australia experiencing a slower and non-localized version of the website.


Did this page help you?