HP Network Protector SDN Application Administrator Guide
Figure 6 DNS inspection at edge routers
DNS inspection at HTTP Proxy
In this example, HTTP request for hostname example.com reaches the HTTP Proxy server. This
request is an HTTP GET (TCP) instead of DNS UDP (UDP) request and therefore the application
does not inspect the request.
The HTTP proxy can be deployed in two ways:
• Explicit proxy deployment. In this deployment the browser is explicitly configured to send HTTP
requests directly to a proxy server.
• Transparent proxy deployment. In this deployment the HTTP requests are directed through a
proxy server without any manual browser configuration.
In the case of transparent proxy deployment, the HTTP request results in a DNS request, and
therefore the application always inspects the requests. But, in case of explicit proxy deployment,
with DNS caching options, every HTTP request does not necessarily result in a DNS request sent
to the DNS server, thereby bypassing the application.
You can however ensure the DNS lookups happen, in which case inspection could occur with
VLAN 40 shown in figure. For cases where you want to ensure the DNS request is generated, a
PAC (Proxy Auto Config) file can be configured to work with the proxy server. The PAC file, for
example proxy.pac, can be configured to direct end clients to behave as follows:
1. Set proxy.pac to direct client to send DNS request. If DNS request returns valid, then proceed
to send HTTP GET request to web proxy.
2. If DNS address comes back with redirect to a specific IP of a remediation site, set proxy.pac
to query for direct query site.
16 Deployment examples