topic DNS used on Checkpoint in Firewall and Security Management

DNS used on Checkpoint

handiansudianto — Wed, 25 Oct 2023 06:54:39 GMT

Hello,

On the gaia on my 5800 series set to public dns server, but why our internal dns receive many bad tcp query from the checkpoint?

Re: DNS used on Checkpoint

emmap — Wed, 25 Oct 2023 08:18:01 GMT

Are you trying to use the 5800 as a DNS server/relay? If so, this is not a supported configuration, a Quantum Check Point gateway will not act as a DNS resolver. Only the Spark series has this capability.

Re: DNS used on Checkpoint

Lesley — Wed, 25 Oct 2023 12:52:22 GMT

I suspect internal DNS is used on the config, could be GAIA config or Smartconsole.

For example DNS traps for the threat prevention blade etc.

Or did you change the DNS servers in GAIA and never rebooted gateway?

Or maybe internal DNS is configured as secondary DNS or third. That what most people do.

First DNS public second third internal or other way around.

Re: DNS used on Checkpoint

handiansudianto — Fri, 27 Oct 2023 00:40:10 GMT

No, the 5800 not used as dns server or dns relay. I just curious wht the 5800 lookup host using internal dns server even on the gaia the dns server set to the public dns server

Re: DNS used on Checkpoint

handiansudianto — Fri, 27 Oct 2023 00:43:19 GMT

On the gaia the DNS set to public dns server, on the smart console i can see only on Mobile Access - Name Resolution set to internal dns server and i belive this used when any client connected to the 5800 vpn.

If i debug on the internal dns server i got like this

27/10/2023 07.26.26 19EC PACKET 0000021258539920 UDP Rcv 10.103.254.6 20cb Q [0001 D NOERROR] A (3)www(18)northeurope1-pushp(3)svc(2)ms(0)

27/10/2023 07.26.26 19EC PACKET 0000021258539920 UDP Snd 10.103.254.6 20cb R Q [8081 DR NOERROR] A (3)www(18)northeurope1-pushp(3)svc(2)ms(0)

27/10/2023 07.26.26 19FC PACKET 0000021258CDCD90 UDP Rcv 10.103.254.6 2390 Q [0001 D NOERROR] A (3)www(21)southcentralus1-pushp(3)svc(2)ms(0)

27/10/2023 07.26.26 19EC PACKET 00000212554C9D50 UDP Rcv 10.103.254.6 2390 Q [0001 D NOERROR] A (3)www(21)southcentralus1-pushp(3)svc(2)ms(0)

27/10/2023 07.26.26 19FC PACKET 0000021258CDCD90 UDP Snd 10.103.254.6 2390 R Q [8081 DR NOERROR] A (3)www(21)southcentralus1-pushp(3)svc(2)ms(0)

I believe the 5800 try query to the domain host or updateable object to the internal dns server, if this true where i can set updatable object to query using public dns server.

Re: DNS used on Checkpoint

PhoneBoy — Fri, 27 Oct 2023 16:25:19 GMT

Version/JHF?
What does enabled_blades say?