https://community.checkpoint.com/t5/Firewall-and-Security-Management/AAAA-IPv6-DNS-requests-control/m-p/252969#M49562 <P>That would imply there's an explicit rule allowing traffic to the relevant DNS server in the first place.<BR />Or you allow DNS traffic via Global Properties:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/30928iA1B30DB3FE4700BF/image-size/medium?v=v2&amp;px=400" role="button" title="image.png" alt="image.png" /></span></P> <P>In R82, we provide <A href="https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_Gaia_AdminGuide/Content/Topics-GAG/Hosts-and-DNS-DNS-Proxy-Forwarding-Domains.htm" target="_blank">dnsmasq</A>, which might help with this situation.<BR />Note that dnsmasq is also available in earlier releases, but it's not formally supported and <A href="https://phoneboy.org/2014/09/02/fun-with-check-point-dynamic-ip-gateways-in-r77-dot-20-with-gaia/" target="_self">must be activated manually</A>.<BR />As far as filtering specific types of DNS requests (i.e. specific lookups) outside of Threat Prevention capabilities, don't believe this is possible.</P> Thu, 10 Jul 2025 15:27:26 GMT PhoneBoy 2025-07-10T15:27:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/AAAA-IPv6-DNS-requests-control/m-p/252827#M49504 <P>Hi,</P><P>Some devices on our network generate a lot of AAAA DNS requests, despite having their IPv6 stack disabled. This causes an unwanted extra load on our DNS servers, which we'd like to avoid.</P><P>Is there a way to specifically drop AAAA DNS queries with a CheckPoint R81.20 gateway ?</P><P>Thanks.</P><P>&nbsp;</P> Wed, 09 Jul 2025 12:09:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/AAAA-IPv6-DNS-requests-control/m-p/252827#M49504 itinfranetwork 2025-07-09T12:09:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/AAAA-IPv6-DNS-requests-control/m-p/252969#M49562 <P>That would imply there's an explicit rule allowing traffic to the relevant DNS server in the first place.<BR />Or you allow DNS traffic via Global Properties:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/30928iA1B30DB3FE4700BF/image-size/medium?v=v2&amp;px=400" role="button" title="image.png" alt="image.png" /></span></P> <P>In R82, we provide <A href="https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_Gaia_AdminGuide/Content/Topics-GAG/Hosts-and-DNS-DNS-Proxy-Forwarding-Domains.htm" target="_blank">dnsmasq</A>, which might help with this situation.<BR />Note that dnsmasq is also available in earlier releases, but it's not formally supported and <A href="https://phoneboy.org/2014/09/02/fun-with-check-point-dynamic-ip-gateways-in-r77-dot-20-with-gaia/" target="_self">must be activated manually</A>.<BR />As far as filtering specific types of DNS requests (i.e. specific lookups) outside of Threat Prevention capabilities, don't believe this is possible.</P> Thu, 10 Jul 2025 15:27:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/AAAA-IPv6-DNS-requests-control/m-p/252969#M49562 PhoneBoy 2025-07-10T15:27:26Z