ONLINE DOCUMENTATION
www.defensx.com
Secure Industries, Inc 101 Avenue of The Americas, Floor 9 New York, NY 10013

Agentless Network Deployment

Overview

While deploying the DefensX product, the preferred method involves installing the DefensX Agent on client devices. Agent-based installation not only supports mobility and roaming of the installed computers but also integrates the DefensX Extension into web browsers. This effectively converts them into Secure Browsers, providing continuous protection against sophisticated attacks across all open tabs, a level of security not achievable through DNS filtering alone.

However, certain scenarios may necessitate agentless deployment, particularly for non-compatible devices such as printers and POS systems. In such cases, a hybrid deployment approach can be employed. This involves installing agents on compatible devices while utilizing agentless deployment through network segmentation or DNS server configurations.

In certain situations, deploying the agent may not be feasible even if the client types are supported. This is particularly common in environments such as schools or guest Wi-Fi networks, where implementing DNS-only filtering is preferred. In such cases, our agentless network deployments come into play. This allows for the provision of DNS-only filtering solutions to clients, offering an entry-level of security protection for internet access.

Configuring Public IP Addresses

The crucial step in agentless deployment is to add your Public IP addresses into the DefensX Backend. To access the configuration screen, first navigate to the Policies page. Then, click on the three-dot icon of the related deployment and select the Manage IPs menu, as shown below:

manage ips

In this screen, you can add up to 5 IP addresses or CIDR block.

Tip
 Available ranges are limited to /24 CIDR network range. You can also use hostnames if you are using a dynamic DNS solution.
deployment ips

After configuring the Public IP addresses, you’ll find the DefensX Anycast DNS IP Addresses. DNS queries sent from those IP addresses will be answered by our Anycast DNS servers based on the configured policy in the deployment. Our default Anycast DNS Server IP addresses are:

  • 3.33.220.70

  • 3.33.218.70

Using Multiple DNS Policy For Same Public IP Address

If you need to apply different policies to certain devices while using the same Public IP Address, you can achieve this by utilizing different DNS Server Address Pairs. Follow the steps below:

  • Navigate to the Policies page and click on the New Deployment button. Select the "Custom Deployment" option and provide a name for the deployment.

  • After creating the deployment, return to the Policies page. Click on the three-dot icon of the newly created deployment and select the Manage IPs menu item.

  • Add your Public IP Addresses

  • In the "Select DNS Server Address Pair" section, choose another pair of DNS addresses from the options and click the Change button.

  • You’ll now see a new pair of IP Addresses alongside the default ones. If you have network segmentation, you can assign this new pair of IP addresses to the clients requiring different policies.

dns servers

By configuring the new deployment in this manner, you can customize the Webfilter policy on the Policies page as needed. Despite the DNS request source addresses being the same, DefensX Anycast DNS servers can differentiate between policies based on the selected DNS Servers.

Installing the SSL Root Certificate

To view the URL Block pages for HTTPS websites, it’s essential to install the DefensX SSL Root certificate on the client device. This requirement arises from the operational mechanics of SSL/TLS and, in the absence of an agent, it is required to be installed by an external process.

Below, you’ll find instructions for installing the DefensX SSL Root certificate on various client types and operating systems. DefensX SSL Root certificate is public and can be downloaded from https://cloud.defensx.com/certs/DefensXCA.cer

Installing on the Windows

You can use certutil with admin rights to install the certificate like below (assuming that it is downloaded to the current user’s Downloads folder):

certutil -addstore -enterprise -f Root "C:\Users\%username%\Downloads\DefensXCA.cer"

You can also use the following Powershell script to automatically download and install the certificate with admin rights:

$downloadUrl = 'https://cloud.defensx.com/certs/DefensXCA.cer'
$localFile = "C:\Users\$Env:UserName\Downloads\DefensXCA.cer"

Invoke-WebRequest -Uri $downloadUrl -OutFile $localFile -UseBasicParsing

if (Test-Path $localFile) {
	certutil -addstore -enterprise -f Root $localFile
} else {
	Write-Host "Couldn't download the certificate"
}

Installing by Active Directory GPO

You can distribute the certificate by creating an Active Directory GPO object with the following steps:

  • Open the GPO Management in Domain Controller

  • Create a new GPO or append it to an existing one

  • Open Computer Configuration → Windows Settings → Security Settings → Public Key Policies section

  • Right-click to the Trusted Root Certification Authorities and then click Import

  • Locate the downloaded DefensXCA.cer file

Installing on the MacOS

After downloading the DefensXCA.cer file, you can install it with the following command:

sudo /usr/bin/security add-trusted-cert -d -r trustRoot -p ssl -p basic -k /Library/Keychains/System.keychain ~/Downloads/DefensXCA.cer

Troubleshooting

Verifying DNS Packet Flow

Some ISPs apply DNS filtering or similar techniques that alter DNS responses. In some cases, ISPs may even block or manipulate DNS queries unless they are directed to well-known DNS resolvers such as 8.8.8.8 or 1.1.1.1.

To confirm whether your DNS requests are correctly reaching the DefensX Cloud DNS, you can use our special hostname whatismyip.defensx.com:

  • If the query reaches our Cloud DNS, the response will return your public IP address.

  • If the response is 0.0.0.0, it means the query is being intercepted or altered by an intermediate system and never reached our Cloud DNS servers.

Steps to Verify

  • Query Cloud DNS directly: Run the following command and check the “Address” field in the response:

nslookup -type=A whatismyip.defensx.com 3.33.220.70

If you see your public IP address, the request successfully reached our Cloud DNS. If you see 0.0.0.0, the request was intercepted or blocked before reaching us.

  • Query using your system’s default DNS settings: Run the same command without specifying a DNS server:

nslookup -type=A whatismyip.defensx.com

If the first command returned your public IP, but this one returns 0.0.0.0, it means you can reach DefensX Cloud DNS directly but the DNS servers currently configured on your computer are not forwarding queries to our Cloud DNS.

Verifying IP Configuration

For DefensX Cloud DNS to work properly, DNS requests must come from your configured public IP address (or range) to one of our Cloud DNS servers.

We operate 7 Anycast DNS server pairs (14 IP addresses in total). In most deployments, the first pair (3.33.220.70 and 3.33.218.70) is sufficient. However, if you are using a different DNS server pair, you should run the following test against those specific IP addresses.

Test Your Configuration

Run the following command against one of our DNS servers:

nslookup -type=A google.com 3.33.220.70

  • If you see a valid Google IP address, your public IP configuration is correct.

  • If you see 20.230.157.46, it means your request reached our Cloud DNS, but from an unregistered or unknown public IP address. You should review the configuration in the DefensX Backend.

Tip
 If you recently updated your configuration, please allow up to 30 seconds for propagation.