Can I bypass shift by just using an IP address?

(Andy Logan) #1

What if my users are smart enough to use IP addresses directly? Can they bypass shift?

(Haggai Polak) #2

Well… Yes. But not really.

Shift is DNS based. When a user or an application tries to reach a destination by its URL, the domain name part of the URL will be resolved by the DNS resolver configured on the end point. If that resolver is Shift, a decision will be made if the return address will be the actual one for the host name (allow), one for a block page (blocked) or one for a proxy (redirection to content inspection). However if the app or browser go to an IP address directly without requiring DNS resolution, Shift is never “in the path”.

However - Most websites and CDNs will either not work using direct IP (name based virtual hosting) or will redirect back to the hostname. Try to resolve any site on cloudflare for example, and then go to the site using its IP. You will get a “Direct IP access not allowed” error. Try to use the internet with no DNS configured. Even if the main HTML page of sites loads, much of the content will not. The internet can not function without DNS. Even Malware and C2 infrastructure relies on DNS since it is too easy for security companies to black list IP addresses, while keeping up with fast changing domain names is harder.

So while theoretically direct IP will bypass Shift, practically shift is still effective. And there is always full proxy ZIA if you need more control.