https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-NAT-issue-DNS-Doctoring/m-p/93892#M7301 <P>Attached diagram.</P><P>&nbsp;</P><P>Mahesh</P> Wed, 12 Aug 2020 05:47:18 GMT Mahesh_Patil 2020-08-12T05:47:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-NAT-issue-DNS-Doctoring/m-p/93800#M7290 <P>We have enabled DNS NAT with help of&nbsp;<SPAN>sk34295.&nbsp;</SPAN></P><P><SPAN>After enabling DNS NAT, firewall doing DNS NAT for all communications.</SPAN></P><P><SPAN>We do't want DNS NAT for all communications. example&nbsp;</SPAN></P><P><SPAN>source interface having 5 subnets&nbsp; and out of which required DNS NAT for four subnets and for one subnet we do not want DNS NAT.</SPAN></P><P><SPAN>Also in four subnets two subnets should having one IP address and another two subets should have another IP address of destination server.</SPAN></P><P><SPAN>Above scenario is not working. DNS NAT check 1st NAT rule and do the DNS NAT.&nbsp;</SPAN></P><P><SPAN>As per my observation, as per SK DNS NAT do not check source IP address while doing DNS NAT.</SPAN></P><P>&nbsp;</P><P><SPAN>Can some one help me on this.</SPAN></P><P>&nbsp;</P> Tue, 11 Aug 2020 05:17:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-NAT-issue-DNS-Doctoring/m-p/93800#M7290 Mahesh_Patil 2020-08-11T05:17:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-NAT-issue-DNS-Doctoring/m-p/93824#M7294 <P>Hi <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/18353">@Mahesh_Patil</a>&nbsp;</P> <P>If you set fw_dns_xlation to true, it is globally valid for the DNS service.</P> <P>The feature has a global on/off switch, in the $FWDIR/conf/objects_5_0.C file on Security Management Server / Domain Management Server, called fw_dns_xlation (by default set to <EM>false</EM>). When its value is set to <EM>true</EM>, the regular NAT rulebase is used to determine how to change the DNS packets.</P> <P>The regular NAT rules used to translate the internal servers will suffice. There is no need to define special NAT rules in addition to the regular ones defined.</P> <P>I would use a manual Hide NAT rule for the outgoing DNS traffic.</P> <P>&nbsp;</P> Tue, 11 Aug 2020 08:29:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-NAT-issue-DNS-Doctoring/m-p/93824#M7294 HeikoAnkenbrand 2020-08-11T08:29:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-NAT-issue-DNS-Doctoring/m-p/93835#M7295 <P>Yes. But requirement is more. Let me give you example : -</P><P>Source subnet 172.16.1.0/24, 172.16.2.0/24, 172.16.3.0/24, 172.16.4.0/24 and 172.16.5.0/24 and destination real IP is 10.0.0.1</P><P>1. Now 172.16.1.0/24 and 172.16.2.0/24 should access 192.168.1.1 (NAT with 10.0.0.1)</P><P>2. Now 172.16.3.0/24 and 172.16.4.0/24 should access 192.168.2.2 (NAT with 10.0.0.1)</P><P>3. Now 172.16.5.0/24 should access to 10.0.0.1 (without NAT)</P><P>We required NAT DNS for point number 1 and 2.&nbsp; We do not required DNS NAT for point number 3.</P><P>Now 1st problem DNS NAT do NAT of all DNS request which is impacting to point number 3 connectivity.</P><P>2nd problem is in NAT order 1st NAT is 192.168.1.1 with 10.0.0.1. DNS NAT do not check source IP while doing&nbsp; DNS NAT due to which point number two connectivity get impacted as DNS NAT resolved/give IP address 192.168.1.1 in place of 192.168.2.2 in DNS query.</P><P>&nbsp;</P><P>How we can achieve this scenario.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 11 Aug 2020 09:15:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-NAT-issue-DNS-Doctoring/m-p/93835#M7295 Mahesh_Patil 2020-08-11T09:15:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-NAT-issue-DNS-Doctoring/m-p/93854#M7296 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/18353">@Mahesh_Patil</a>&nbsp;</P> <P>maybee a little network diagram with a sample should help.</P> <P>"DNS NAT" does no NAT on the packets itselfs. "DNS NAT" replaces IP-addresses in a DNS-response, which are initiated from a client to a DNS server.</P> <P>This traffic has to traverse the gateway, meaning the gateway has to see the request and the response of the DNS-query.&nbsp;</P> <P>The "DNS NAT" changes traffic only regarding UDP/53, nothing else. As you describe and I understand you can now see NAT on all connections ?</P> <P>Have a look at the limitations 2. and 3. from sk34295, it's important. The source object of your NAT rules for "DNS NAT" is regardless and you have to define different NAT-types (static or manual) for your specific object types (network or host).</P> <P>Wolfgang</P> <P>&nbsp;</P> Tue, 11 Aug 2020 13:49:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-NAT-issue-DNS-Doctoring/m-p/93854#M7296 Wolfgang 2020-08-11T13:49:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-NAT-issue-DNS-Doctoring/m-p/93892#M7301 <P>Attached diagram.</P><P>&nbsp;</P><P>Mahesh</P> Wed, 12 Aug 2020 05:47:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-NAT-issue-DNS-Doctoring/m-p/93892#M7301 Mahesh_Patil 2020-08-12T05:47:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-NAT-issue-DNS-Doctoring/m-p/93992#M7303 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/18353">@Mahesh_Patil</a>&nbsp;</P> <P>snip from the limitations:</P> <P>"<SPAN>DNS traffic (DNS Requests) will be translated based on the Destination address in the NAT rules <STRONG>without considering the Source of the traffic</STRONG></SPAN>"</P> <P>Wolfgang</P> Thu, 13 Aug 2020 08:34:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-NAT-issue-DNS-Doctoring/m-p/93992#M7303 Wolfgang 2020-08-13T08:34:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-NAT-issue-DNS-Doctoring/m-p/93997#M7304 <P>Yes. As per my understanding due to check only destination address for DNS NAT point number two and three scenario not working.</P><P>For point number two and three when DNS request coming from source,&nbsp; firewall do DNS NAT on 1st NAT statement. and due to receive wrong IP in DNS query by source, source unable to connect to destination.</P><P>Can we have solution on this? Or need to do development on this.&nbsp;</P> Thu, 13 Aug 2020 09:20:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-NAT-issue-DNS-Doctoring/m-p/93997#M7304 Mahesh_Patil 2020-08-13T09:20:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-NAT-issue-DNS-Doctoring/m-p/94142#M7316 <P>Basically, if the traffic is subject to NAT at all (by destination only), it is subject to DNS NAT if you have it enabled.<BR />In which case, it sounds like this is operating as designed and what you’re wanting to do would be an RFE.</P> Fri, 14 Aug 2020 18:56:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/DNS-NAT-issue-DNS-Doctoring/m-p/94142#M7316 PhoneBoy 2020-08-14T18:56:14Z