https://community.checkpoint.com/t5/General-Topics/DNS-rewriting-Hack/m-p/232272#M38814 <P>Good point&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/21670">@HeikoAnkenbrand</a>&nbsp;</P> Sun, 10 Nov 2024 23:36:46 GMT the_rock 2024-11-10T23:36:46Z https://community.checkpoint.com/t5/General-Topics/DNS-rewriting-Hack/m-p/232072#M38788 <P>I have found an interesting way to rewrite DNS requests to other IP addresses.<BR />This makes it possible to use the internal private addresses on the internal DNS server for the DNS requests. <BR />External DNS queries that are requested via the Internet can be rewritten to official addresses on the firewall.<BR />The ISP function can be used as a hack for this purpose.</P> <P>If you activate and configure ISP Redundancy on the gateway, you have the option of rewriting DNS queries. This can be used to rewrite regular DNS queries to other IP addresses.<BR /><BR />Example configuration:</P> <P>1) Enable ISP on the gateway<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DNS1_57h543.jpg" style="width: 564px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/28408iFFFC1FAF07E15CA0/image-size/large?v=v2&amp;px=999" role="button" title="DNS1_57h543.jpg" alt="DNS1_57h543.jpg" /></span><BR /><BR />2) Now select the “Primary/Backup” redundancy mode (see picture 1)<BR /><BR />3) Now create an ISP link (that corresponds to your external interface in the direction to the Internet in my example “external_interface”.<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DNS2_345njk3k4.jpg" style="width: 495px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/28409i76EC3BDBACE0F773/image-size/large?v=v2&amp;px=999" role="button" title="DNS2_345njk3k4.jpg" alt="DNS2_345njk3k4.jpg" /></span></P> <P>4) Unfortunately, two interfaces must be defined, so you have to work with a placeholder interface for ISP2 link. Then create a link that only functions as a placeholder in my example “not_used”. Fictitious IP addresses can be used for the interface.</P> <P>5) Now enabling “DNS Proxy”<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DNS2B_64hjh423.png" style="width: 417px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/28410i74BE6882F0DBD9B4/image-dimensions/417x47?v=v2" width="417" height="47" role="button" title="DNS2B_64hjh423.png" alt="DNS2B_64hjh423.png" /></span></P> <P>6) In the next step, you can enter the DNS settings that you want to rewrite (red).<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DNS3_345hj345.png" style="width: 907px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/28411i9913B47A13E3119E/image-size/large?v=v2&amp;px=999" role="button" title="DNS3_345hj345.png" alt="DNS3_345hj345.png" /></span></P> <P>You can enter any address for the second ISP backup link (blue), as this is not used in my example.</P> <P>&nbsp;</P> Fri, 08 Nov 2024 09:25:59 GMT https://community.checkpoint.com/t5/General-Topics/DNS-rewriting-Hack/m-p/232072#M38788 HeikoAnkenbrand 2024-11-08T09:25:59Z https://community.checkpoint.com/t5/General-Topics/DNS-rewriting-Hack/m-p/232083#M38790 <P>Hello,&nbsp;<BR /><BR />not sure if you could call it a "hack" ... it just the way it works i would say ...<BR />overwrite everything with your manual configuration<BR />maybe a dirty way to make split DNS when connecting via Client VPN. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /><BR /><BR /></P> Fri, 08 Nov 2024 10:57:54 GMT https://community.checkpoint.com/t5/General-Topics/DNS-rewriting-Hack/m-p/232083#M38790 Thomas_Eichelbu 2024-11-08T10:57:54Z https://community.checkpoint.com/t5/General-Topics/DNS-rewriting-Hack/m-p/232227#M38813 <P>Hi <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/24246">@Thomas_Eichelbu</a>,<BR /><BR />Hack or no hack. <BR /><BR />Had used ISP in a customer project to do this. <BR />It is the only way I know of to rewrite DNS requests on a gateway<span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">😊</span>. <BR /><BR />It is a pity that there is no DNS proxy that can be used to rewrite DNS queries. It was a feature request of me years ago.<BR />ISP primary is not designed to rewrite DNS requests, but it can be used to do so, even if only one internet service provider is used.</P> Sat, 09 Nov 2024 16:22:33 GMT https://community.checkpoint.com/t5/General-Topics/DNS-rewriting-Hack/m-p/232227#M38813 HeikoAnkenbrand 2024-11-09T16:22:33Z https://community.checkpoint.com/t5/General-Topics/DNS-rewriting-Hack/m-p/232272#M38814 <P>Good point&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/21670">@HeikoAnkenbrand</a>&nbsp;</P> Sun, 10 Nov 2024 23:36:46 GMT https://community.checkpoint.com/t5/General-Topics/DNS-rewriting-Hack/m-p/232272#M38814 the_rock 2024-11-10T23:36:46Z https://community.checkpoint.com/t5/General-Topics/DNS-rewriting-Hack/m-p/232376#M38829 <P>Someone must have heard you (and others) as it's integrated into R82:&nbsp;<A href="https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_Gaia_AdminGuide/Content/Topics-GAG/Hosts-and-DNS-DNS-Proxy-Forwarding-Domains.htm" target="_blank">https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_Gaia_AdminGuide/Content/Topics-GAG/Hosts-and-DNS-DNS-Proxy-Forwarding-Domains.htm</A>&nbsp;</P> <P>The funny thing is that&nbsp;<A href="https://phoneboy.org/2014/09/02/fun-with-check-point-dynamic-ip-gateways-in-r77-dot-20-with-gaia/" target="_self">dnsmasq has been installed on Gaia since at least R77.20</A>&nbsp;though it was disabled.<BR /><BR /></P> Mon, 11 Nov 2024 23:02:05 GMT https://community.checkpoint.com/t5/General-Topics/DNS-rewriting-Hack/m-p/232376#M38829 PhoneBoy 2024-11-11T23:02:05Z