topic Re: Log DNS query in Firewall and Security Management

Log DNS query

jgarcias — Wed, 16 Mar 2022 09:17:20 GMT

Hello everybody,

Actually we have several gateway clusters in our environment. By default we are logging DNS traffic (UDP 53) but we can see that actually only the connection itself is being logged

Does somebody know how to log the query in the DNS packet? I would like to see the queried domain in the log. I can see that there is a field named "DNS query" and "DNS Query Type" but both are empty so I think it should be an option to enable the gateway to fill that fields.

Thanks

Re: Log DNS query

PhoneBoy — Wed, 16 Mar 2022 19:15:54 GMT

What is the precise rule that is accepting the traffic?
I suspect it needs to done with an App Control rule (something that logs Detailed or Extended).

Re: Log DNS query

jgarcias — Thu, 17 Mar 2022 09:24:53 GMT

Our goal is having the queried domain name in the DNS logs, so as we can export it to a SIEM (via logexporter) and have the DNS request information, not only the connection.

We have some internal applications that tries to access different services (rare or custom protocols) and URLF/APP CONTROL does not show that information, but if we could log that in the DNS, at least we could see the domain name requested.

Thanks

Re: Log DNS query

jgarcias — Fri, 18 Mar 2022 12:44:27 GMT

any tip on how to achieve that, @PhoneBoy?

Re: Log DNS query

PhoneBoy — Fri, 18 Mar 2022 16:19:15 GMT

I thought there was an App Control signature that did this, but it doesn't appear there is one.
This is probably an RFE, but it might be worth a TAC case to confirm.

Re: Log DNS query

liwo — Thu, 28 Jul 2022 15:52:04 GMT

I'm looking to implement something similar - did you get anywhere with this?

Re: Log DNS query

CheckMate-R77 — Tue, 20 Feb 2024 08:23:19 GMT

@CheckPoint

Come on,

years go by and such a simple issue is not resolved yet? Top next gen firewall can't cope with so trivial task as DNS queries logging? Are You serious?

Re: Log DNS query

CheckMate-R77 — Tue, 20 Feb 2024 08:30:32 GMT

Let me ask what kind of SIEM do You have? Don't You have network sensor listening on the wire (TAP, port mirroring or promiscous)? Is Your issue resolved by now?

Re: Log DNS query

Lesley — Tue, 20 Feb 2024 08:38:04 GMT

Have you requested a RFE for this?

Re: Log DNS query

_Val_ — Tue, 20 Feb 2024 12:19:56 GMT

what issue? can you please be more specific?

Re: Log DNS query

CheckMate-R77 — Thu, 22 Feb 2024 07:27:03 GMT

Yes, I have - right after Your question.

Thanks for hint.

Re: Log DNS query

CheckMate-R77 — Thu, 22 Feb 2024 07:38:52 GMT

It's all about DNS transactions logging - mainly queries. It's simple UDP 53 plain text. Is there any way to show them in logs? Any sk number or something else?

Re: Log DNS query

Lesley — Thu, 22 Feb 2024 08:16:18 GMT

Maybe this: https://support.checkpoint.com/results/sk/sk116694

Version is EOL but worth a shot.

Although DNS is getting more and more encrypted (the request). Then firewall cannot see it anymore.

Re: Log DNS query

_Val_ — Thu, 22 Feb 2024 08:32:17 GMT

Got it. Please open a TAC request for this.

Re: Log DNS query

PA — Thu, 26 Mar 2026 10:45:44 GMT

Hi,
I have version R82. How can I make the "dns_query" field appear in the domain-udp query logs?
I tried the solutions from sk116694 and sk183647 without success, but it works in R81.20.

Re: Log DNS query

Lesley — Thu, 26 Mar 2026 21:54:15 GMT

i checked around, i dont see any related open bugs. It is not on the known limitations for r82. sk183647 states also R82, so I expect it to be supported. I would open TAC case. Or you can open a topic for your issue and hope someone on the community has more info.