topic Re: Can Security Gateway act as DNS Server? in Firewall and Security Management

Can Security Gateway act as DNS Server?

khado — Tue, 21 Feb 2023 08:56:25 GMT

Hello,

We are running Security Gateway 81.10, which the main focus is to provide users access directly to internet.

But for a particular reason we need this users to be able to access a server that sits on internal side, using private IPv4 address.

I have activated DNS Server on security gateway object, added the object (e.g. foo.examble.com) at authorization domain list, and protection check on Protected by this machine.

Added the configuration on Hosts via GAIA Web. Allowed the connection for DNS queries from users to securitygateway object for dns quieries, and from logs it seems to be ok.

Changed the DNS servers from DHCP Servers Settings to use the primary DNS the security gateway, and second to use as DNS 1.1.1.1.

and when I try to ping foo.example.com I get a response as below:

*** UnKnown can't find foo.example.com: No response from server.

DNS suffix on Security gateway is example.com, and DNS suffinc for users is guest.example.com.

Thanks in advance

Re: Can Security Gateway act as DNS Server?

PhoneBoy — Tue, 21 Feb 2023 15:07:18 GMT

The Security Gateway is not a DNS server.
We can NAT requests from a DNS server if properly configured.
See: https://support.checkpoint.com/results/sk/sk34295

Re: Can Security Gateway act as DNS Server?

the_rock — Tue, 21 Feb 2023 15:26:22 GMT

Short answer is yes, your fw can be used as dns server, should you do it that way...probably not. I will see if I can find email R&D sent me about it ages ago why you should NOT do this. It had all the super valid/logical points.

Re: Can Security Gateway act as DNS Server?

PhoneBoy — Tue, 21 Feb 2023 15:38:49 GMT

There is an unsupported way to make the gateway a DNS server using dnsmasq, which is installed in Gaia OS but isn’t used by default.
Regardless, this isn’t best practice in enterprise networks.

Re: Can Security Gateway act as DNS Server?

the_rock — Tue, 21 Feb 2023 15:46:43 GMT

Correct!

Re: Can Security Gateway act as DNS Server?

PhoneBoy — Tue, 21 Feb 2023 17:05:14 GMT

This is what I wrote about the topic back in 2014: https://phoneboy.org/2014/09/02/fun-with-check-point-dynamic-ip-gateways-in-r77-dot-20-with-gaia/
I checked R81.20 and it too has dnsmasq installed on it.
Haven't tried it to see if it still works...

Re: Can Security Gateway act as DNS Server?

the_rock — Tue, 21 Feb 2023 17:09:18 GMT

Not overly shocked its still there : - )

[Expert@quantum-firewall:0]# service dnsmasq start
Starting dnsmasq:
[Expert@quantum-firewall:0]# service dnsmasq stop
Shutting down dnsmasq: [ OK ]
[Expert@quantum-firewall:0]# fw ver
This is Check Point's software version R81.20 - Build 703
[Expert@quantum-firewall:0]#

Re: Can Security Gateway act as DNS Server?

khado — Wed, 22 Feb 2023 12:08:06 GMT

Thank yoy @the_rock and @PhoneBoy . I used dnsmasq and it worked flawlessly.

I read about DNS NAT, but it seemed to complicated for my situation.

best regards to both of you.

Re: Can Security Gateway act as DNS Server?

PhoneBoy — Mon, 08 Jul 2024 18:22:37 GMT

Interestingly enough, R82 EA not only has dnsmasq installed...it's in use now.