Troubleshooting Guide

HYAS Protect uses an SSL-intercepting proxy to display custom block pages for HTTPS sites. To do this, it generates SSL certificates on the fly. If the HYAS Root Certificate Authority (CA) is not installed on your device, this can result in browser SSL warnings or errors.

You're seeing this warning because HYAS Protect is blocking access to a site—either because it’s malicious or it violates your organization's policies—and is attempting to show a block page in its place. To properly view these block pages without SSL errors, the HYAS Root CA must be installed on your device.

You can download the HYAS Root CA and follow installation instructions at: http://ca.hyas.com

Port 53 on each IP address supports only one listening process, in accordance with standard IP network design.

On the external interface, the HYAS Protect Relay process must occupy this port to handle incoming DNS traffic. Depending on the configuration of local domains, it can subsequently forward requests to the Windows DNS service, if necessary. However, prior to this, the Windows DNS service must cease listening on port 53.

Instructions on how to configure the Relay to listen on port 53:

Checking which processes are listening on port 53

• In PowerShell, run the following command to check for processes listening on port 53 and their associated IP addresses.

netstat -an | Select-String 53 | Select-String listen

• This command retrieves TCP connections listening on port 53 and displays the local IP address and port.

• When configured properly, the output will look similar to this:

PS C:\Users\Administrator> netstat -an | Select-String 53 | Select-String listen

  TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING
  TCP    127.0.0.1:53           0.0.0.0:0              LISTENING
  TCP    [::]:5357              [::]:0                 LISTENING
  TCP    [::1]:53               [::]:0                 LISTENING
  TCP    [fe80::608c:dc7e:e701:f49f%14]:53  [::]:0                 LISTENING

• In this scenario, port 53 is currently utilized by the localhost IPv4 (127.0.0.1), localhost IPv6 (::1), and the fe80:xxx IPv6 address. However, the Windows DNS server is not configured to listen on the IP address of the domain controller (10.0.10.98), as observed.

If port 53 is not currently in use by the localhost, you can configure it to do so by following these steps:

1. Navigate to your Windows DNS Server and right-click and select “DNS Manager”

   

2. From here, you should see all of your DNS Servers. Next, right-click each one and select “Properties”

   

3. Now, select the “Interfaces” tab:

   

You may need to restart the DNS service for the changes to take effect

4. In this example, we’ll need the Windows DNS Server to stop listening on 10.0.10.98.

   1. To do this, unselect the check box next to 10.0.10.98 and click “OK”

   2. You may need to restart the DNS service for the changes to take effect

      

   3. Although not explicitly displayed in the user interface, it's important to note that the Windows DNS server also listens on port 53 of the IPv4 localhost (127.0.0.1) and IPv6 localhost (::1).

5. For this example, the dnsproxy.yaml file looks like:

   YAML

   dns:
     bind_hosts:
       - 10.0.10.98
     port: 53
     upstream_dns:
       - https://a.b.c.d/dns-query (the default Protect resolvers)
       - '[/your-local-domain-here/]127.0.0.1'

6. The HYAS Protect Relay will be configured to bind to port 53 on the IP address 10.0.10.98 to accept DNS requests. Requests for local domains will be forwarded to 127.0.0.1, port 53, where the Windows DNS server is operational. DNS queries for non-local domains will be routed to the HYAS Protect Resolvers and thus shown in the HYAS Protect UI.