topic Re: DNS flag day and DNS inspection in Firewall and Security Management

DNS flag day and DNS inspection

Kosin_Usuwanthi — Thu, 03 Jan 2019 03:40:48 GMT

If there is a problem, the ednscomp tool displays an explanation for each failed test. Failures in these tests are typically caused by:

broken DNS software
broken firewall configuration

Firewalls must not drop DNS packets with EDNS extensions, including unknown extensions.

How to prevent this impact on CheckPoint firewall ?

Re: DNS flag day and DNS inspection

PhoneBoy — Thu, 03 Jan 2019 04:20:15 GMT

I ran this test from behind a Check Point gateway running IPS Optimized profile.

I also checked some other domains and got different results.

What specific results are you seeing?

Re: DNS flag day and DNS inspection

Kosin_Usuwanthi — Thu, 03 Jan 2019 04:29:36 GMT

I have concern about firewall will drop reply packet more than 512 bytes.

Re: DNS flag day and DNS inspection

PhoneBoy — Thu, 03 Jan 2019 05:42:56 GMT

As I said, I used the aforementioned site thru a Check Point gateway configured with an IPS Optimized profile and did not see any errors/drops in the logs.

I also saw results that varied depending on the domain I was checking, so I assume these checks are not being blocked.

If you have evidence otherwise, please provide it (exact domains, screenshots of logs, etc).

To the question you asked about the size of DNS packets, there is an Inspection Setting (IPS in R77.30 and earlier) called DNS Maximum Request Length.

This is set to Inactive by default (at least in R80.20).

Re: DNS flag day and DNS inspection

Kosin_Usuwanthi — Thu, 03 Jan 2019 06:45:58 GMT

Thank you Dameon.

Re: DNS flag day and DNS inspection

Victor_MR — Fri, 25 Jan 2019 18:13:04 GMT

As you correctly pointed, one of the reasons for this to fail is a DNS server not updated accordingly. This is surely the most probably reason.

But if I'm not wrong...

The second option you say is also possible. If you're using R77.30 prior JHFA 345 (or an earlier major version), a Security Gateway with IPS enabled and the protection "Non Compliant DNS" set to Prevent may drop the EDNS queries to/from a corporate DNS server. If the protection status is set to Detect or Inactive, then it would not drop it.

Note that, in R77.30, there are two predefined profiles and this protection is set to Prevent by default in the "Recommended Profile".

This does not happen with R80.10 gateways, whatever the status of the "Non Compliant DNS" protection is. So, in case you're using R77.30 and have this protection in Prevent, you should change it to Detect, or to upgrade the Security Gateway. More info about this last option in the sk112578.

So, please check before 1st February if your DNS servers and also your infraestructure is prepared for this change (there is a test option in the link you've sent, 2019 | DNS flag day )