topic Re: DNS question in Firewall and Security Management

DNS question

the_rock — Fri, 12 Jul 2024 21:27:44 GMT

Hey everyone,

Sorry if this may sound like a dumb/stupid/silly question (or all 3 together lol), but I had customer ask me something that no one ever asked me in all my years with CP. So, they wanted to know if Check Point has their own DNS servers like Fortinet does that customers could use? Im pretty sure the answer is no, as I had never seen or heard of any, but wanted to be 100% sure.

Below is what Im referring to on Fortigates.

Best and thanks as always for the help.

Andy

Re: DNS question

the_rock — Sat, 13 Jul 2024 13:32:23 GMT

As I suspected, the answer is no, SE also confirmed the same.

Andy

Re: DNS question

PhoneBoy — Sun, 14 Jul 2024 16:14:26 GMT

Officially, no.
However, dnsmasq has been unofficially on Gaia OS for quite some time.
I even wrote something about it a decade ago (including how to use it): https://phoneboy.org/2014/09/02/fun-with-check-point-dynamic-ip-gateways-in-r77-dot-20-with-gaia/
In the R82 EA, I noticed it’s actually running.
Not sure what it is officially used for as I haven’t dug into it.

Re: DNS question

the_rock — Sun, 14 Jul 2024 16:20:53 GMT

Funny you gave that link, as I was reading it before making the post and even customer told me about it 🙂

Will test in in R82 lab.

Andy

Re: DNS question

the_rock — Mon, 15 Jul 2024 14:19:56 GMT

@PhoneBoy

Ran the commands, but not working, definitely missing something brother...any idea? 🙂

Andy

[Expert@R82-TEST-FW:0]# dbset process:dnsmasq t
[Expert@R82-TEST-FW:0]# dbset process:dnsmasq:path /usr/sbin
[Expert@R82-TEST-FW:0]# dbset process:dnsmasq:runlevel 3
[Expert@R82-TEST-FW:0]# dbset :save
[Expert@R82-TEST-FW:0]# dnsmasq

dnsmasq: failed to create listening socket for 127.0.0.1: Address already in use
[Expert@R82-TEST-FW:0]# fw ver -k
This is Check Point's software version R82 - Build 760
kernel: R82 - Build 735
[Expert@R82-TEST-FW:0]#

Re: DNS question

John-Haynes — Mon, 15 Jul 2024 14:49:42 GMT

Would love to see CP come out with a product like "Meta IP" again.

As far as free DNS services that provide security, Quad9 is still the best. Recently saw some C2 Beacons trying to be accessed. Quad9 was the only provider already blocking the domains.

Re: DNS question

the_rock — Mon, 15 Jul 2024 14:52:06 GMT

Quad 9? Never heard of it, but reading about it, seems like its fantastic, awesome reviews...will let the customer know.

THANK YOU!!

Andy

Re: DNS question

PhoneBoy — Mon, 15 Jul 2024 19:01:34 GMT

Like I said, dnsmasq is already running on R82 (no need to enable it).
Version string says is 2.76.
The configuration file looks like this:

# This file was AUTOMATICALLY GENERATED # Generated by /bin/dnsmasq_xlate on Tue Jun 18 13:44:47 2024 # # DO NOT EDIT # bind-interfaces cache-size=1000 no-poll listen-address=127.0.0.1 server=/#/x.y.z.w conf-dir=/etc/dnsmasq.d

This tells me the following:

It's basically a caching DNS server (x.y.z.w appears to be the DNS server configured in the Gaia OS)
Additional configuration can be bootstrapped from files added in /etc/dnsmasq.d

Whether this works/is supported is a separate question.

Re: DNS question

the_rock — Mon, 15 Jul 2024 19:14:31 GMT

1( What file is that?

2) should not dnsmasq command give something?

Andy

Re: DNS question

PhoneBoy — Mon, 15 Jul 2024 20:15:40 GMT

The configuration file is /etc/dnsmasq.conf
The error message you receive is because dnsmasq is already running (as stated previously).

Re: DNS question

Lesley — Mon, 15 Jul 2024 20:40:57 GMT

Never seen or read anything regarding DNS provided by Check Point.

There is ns1.checkpoint.com but they deny my DNS request 😉

C:\Users\lesle>nslookup therock.com ns1.checkpoint.com
Server: dns1.zonelabs.com
Address: 209.87.222.140

*** dns1.zonelabs.com can't find therock.com: Query refused

C:\Users\lesle>nslookup ns1.checkpoint.com
Server: gpon.net
Address: fe80::1

Non-authoritative answer:
Name: ns1.checkpoint.com
Address: 209.87.222.140

Re: DNS question

the_rock — Mon, 15 Jul 2024 21:02:28 GMT

K, gotcha...this is what it looks like in my lab, appears how I set it up.

Andy

[Expert@CP-EXL-1-s01-01:0]# more dnsmasq.conf
# This file was AUTOMATICALLY GENERATED
# Generated by /bin/dnsmasq_xlate on Fri Jul 12 15:27:11 2024
#
# DO NOT EDIT
#
bind-interfaces
cache-size=1000
no-poll
listen-address=127.0.0.1
server=/#/8.8.8.8
server=/#/8.8.4.4
server=/#/2.2.2.2
conf-dir=/etc/dnsmasq.d
[Expert@CP-EXL-1-s01-01:0]#

Re: DNS question

the_rock — Tue, 16 Jul 2024 12:39:38 GMT

John,

Just wanted to thank you again for providing this. I cant believe how great these dns servers are, its truly amazing. Compared to google DNS, there is literally no comparison...simply outstanding.

I mean, I even tested it at home and though I have 1.5 GB download abd 1 GB upload fiber through my ISP, when I use quad 9 dns servers, it seems way faster then when uding google DNS.

Thanks again mate!!! ✌️

Andy