topic Re: DNS NAT - sk34295 in Firewall and Security Management

DNS NAT - sk34295

CarlosDias — Mon, 12 Feb 2024 14:21:57 GMT

Hi,

I need the feature DNS NAT described on sk34295.

Configured it, but seems not to work.

I am running R81.10

How can I debug the cause?

Regards

Re: DNS NAT - sk34295

the_rock — Mon, 12 Feb 2024 14:46:58 GMT

Latest version listed there is R81. You may want to confirm with TAC if same is applicable in R81.10

Best,

Andy

Re: DNS NAT - sk34295

PhoneBoy — Tue, 13 Feb 2024 18:27:20 GMT

No reason it shouldn't work in R81.10.
We need to find out more about the configuration you've attempted with a simple network diagram.

Re: DNS NAT - sk34295

CarlosDias — Wed, 14 Feb 2024 09:08:28 GMT

Hi,

Network diagram is very easy.

There is an internal network that goes to internet vi a checkpoint firewall

This network has an internal DNS server and serveral other servers that go to internet by a NAT address configured on the checkpoint.

Customer also has some users on the internet that resolve on this internal DNS, for the internal hosts.

We used this sk but the dns lookup still returns the internal addresses.

Regards

Re: DNS NAT - sk34295

_Val_ — Wed, 14 Feb 2024 09:15:56 GMT

In your described scenario, you do not need sk34295. You need your internal DNS server to be available on internet, which means simple host or port address translation rule, depending on whether or not you have a spare IP address. Then, your your users should define that external IP address as their primary DNS server.

Re: DNS NAT - sk34295

CarlosDias — Wed, 14 Feb 2024 09:43:57 GMT

Hi,

The internal DNS is available from internet. It has a NAT address on the FW and the external users use this address.

But that is not the question.

This DNS also resolves internal servers for internal addresses. This servers also have a NAT address on the FW.

The problem is that external users when resolving the names of this servers, receive the internal address which is useless.

What we need it that checkpoint understands that it must translate the response to the NAT addresses, so that external users could access this internal servers.

Re: DNS NAT - sk34295

the_rock — Wed, 14 Feb 2024 12:19:28 GMT

You may want to open TAC case for this.

Re: DNS NAT - sk34295

Lloyd_Braun — Wed, 14 Feb 2024 18:50:39 GMT

The way I am reading this, and the way NAT rules are typically configured, the fw is looking for a public IP DNS response to translate to the internal IP address (original IP). You may be able to make this work with a "dummy" NAT rule configured in the other direction, but I am not saying that is a great idea.

the NAT DNS payload requires static NAT rules in which the DNS response that needs to be translated is set as the original destination, and the requested translation for it is the translated destination.

Re: DNS NAT - sk34295

CarlosDias — Wed, 14 Feb 2024 20:24:15 GMT

Hi,

I already configured the static NAT rules as requested by the sk.

Does not work

Re: DNS NAT - sk34295

Lloyd_Braun — Thu, 15 Feb 2024 15:54:50 GMT

The way I am reading that SK, it is describing a scenario where DNS resolves records to the public IP and the firewall changes DNS payload to the internal IP. So you have a different use case, wanting to NAT DNS payload from private to public IP. You could put a test DNS record in with the public IP to see if that DNS rewrite mechanism is working in the other direction. (rewriting original destination IP to xlate destination IP as opposed to xlated destination IP to original destination IP)

Re: DNS NAT - sk34295

CarlosDias — Thu, 15 Feb 2024 16:05:27 GMT

Hi,

Well on the sk there is writen:

The regular NAT rules used to translate the internal servers will suffice. There is no need to define special NAT rules in addition to the regular ones defined.

So I imagined this sk assumes the DNS is internal, and ouside users authorized to resolved on this DNS internal server, should have the dns payload changed to the ips of the NAT rules,

But I may be wrong.

This is how other manufactures do !!!

Re: DNS NAT - sk34295

the_rock — Thu, 15 Feb 2024 23:21:46 GMT

All valid points...