Cdome DNS Resolver

libretech · June 4, 2019, 9:20pm

Hi guys, I’m getting ready to roll out Cdome DNS resolver can you guys give me some feedback on the product before I proceed.

RT-AMS-ITarian · June 5, 2019, 12:37am

Dome Shield is a great product, takes some tweaking but does the job nicely.

eztech · June 5, 2019, 11:46pm

Generally its been a great product in my usage. It can have issues with performance at times but it has definitely improved. As strobe mentioned, definitely needs tweaking. I highly recommend testing it heavily before production rollout so you can get your rules/policies right. I find the reporting to very lacking but that’s pretty much a common theme across the board with this platform. (Need custom report builders, executive reports…etc). But overall still a great product.

libretech · June 5, 2019, 11:57pm

Thanks for the response everyone and your experience just to be clear is with the local vm being installed?

eztech · June 6, 2019, 12:09am

Apologies @libretech I was referring to Dome Shield though you clearly said dns resolver. However I have used the DNS resolver and I would say the feedback still applies, though performance may be more tied to the VM resources.

libretech · June 6, 2019, 12:27am

@eztech thanks for the feedback!

RT-AMS-ITarian · June 6, 2019, 2:50am

Personality we have only used the agent on devices and direct DNS, we are looking forward to the resolver VM / device

hdesk · June 6, 2019, 6:50am

I’ve been testing this and have found that it breaks certain web sites. This may be caused by mixed content pulled from various severs on the Internet. The obvious fix is to whitelist known sites, but this does not work.

I’ve attempted to bring this to their attention, but without success because the reply emails to support are bouncing as of late last week. But, the short of it is that it would be hard to deploy this to a production environment until they resolve issues with white listing sites.

Best,

Dany
AMS H-Desk Pro

RT-AMS-ITarian · June 6, 2019, 7:33am

Hi @hdesk

There is another post similar to this is replied to the other day.
The issue is that some websites use CDNs for some content and some CDNs are listed under certain categories which you might be blocking.

The best thing to do is look at the block logs to spot these CDNs and then white list them, this has worked perfectly for us and our clients.

If you have no joy let me know and I’ll look at our whitelisted CDNs for you and post.

hdesk · June 7, 2019, 3:26am

Hello @StrobeTech

You know that is a wonderful idea … the suggestion of compiling a blacklist of CDNs that offer content that might be blocked for one reason or another. However, I also think that whitelisting a known good site should somehow automatically do that.

The situation with my two incidents were related to a site owned by ADP, which is the largest payroll processor in the U.S. I think they may even be there in the U.K. Obviously subject to a number of laws and regulations, I can assure you that security is a top priority for ADP. In that regard it’s a bit puzzling as to why cDome would break the site.

The other site was Cabella’s, which is perhaps the nation’s largest purveyor of sporting goods in the U.S. Here again, they are subject to PCI DSS regulations and bound to observe best security practices because of e-com available on the site.

Had these been any other sites I would give cDome’s analysis more credibility. However, these were not just any sites but subject to laws, regulation and compliance because of the sensitive information they handle.

All in all though I think it’s a great idea about compiling a human-readable list of known CDNs, and we can make a decision on a case by case basis. That should keep everyone busy with support tickets for a good while I suspect.

All the best,

Dany, CEO
AMS H-Desk Pro LLC

RT-AMS-ITarian · June 7, 2019, 7:19pm

Hi Dany,

I totally understand where you are coming from and do actually agree with you.

I do understand why the CDNs might be blocked as they do not just host good sites as we all know.

The best approach would be for cDome to whitelist all CDNs and block the site that calls them only. Or approach it by the requesting website, so if a bad site is requested the requested site is blocked meaning CDNs for affected as you never call a CDN except for maybe parts of sites like java, CCS.

If a site is allowed or whitelisted all calls to components from that site should be allowed in theory, but this is not the case as cDome will tell you any part could be infected and needs checking.

It’s not ever going to be a perfect solution, the more secure you are the more work to get it working you need to do.

I’m rambling so will be quite now.

Robin

RT-AMS-ITarian · August 17, 2019, 5:45am

Hi @hdesk , sorry for delay. We don’t always get alerts of forum activity.

Yes, we hardly get any calls, works very well now and looking at rolling it to all clients soon.

Nevzat_Huruzoglu · August 19, 2019, 7:52am

Hi @hdesk

Our support team will immediately contact you and create a ticket for the issue you are having. Please provide as many details as you can and list us the websites that you are having this issue with and we will investigate it immediately.