topic Re: DNS Resolution in Checkpoint SSL Network Externder in SASE and Remote Access

DNS Resolution in Checkpoint SSL Network Externder

rolandk — Wed, 31 Jan 2024 12:22:23 GMT

Hello,

we have several macos clients who need to connect to customer site via ssl vpn.

when they use our viscosity/openvpn vpn and then connect to customer vpn with snx (i.e. use connect button for native applicatins in web portal), they can access internal ressources in our company network, as viscosity/openvpn is setting up split dns, so dns query to @ourdomain.com is handled by our internal dns server.

when their macbook is located in the company internal network, they cannot resolve anything from internal @ourdomain.com dns names anymore after connecting to customer ssl vpn , as ssl vpn is overwriting internal dns servers and that seems to be active globally then.

how can this be resolved ?

how can dns be resolved selectively, i.e. by target domain ?

regards
roland

Re: DNS Resolution in Checkpoint SSL Network Externder

PhoneBoy — Fri, 02 Feb 2024 02:10:09 GMT

You may need a hotfix for this.
See: https://support.checkpoint.com/results/sk/sk115279

Re: DNS Resolution in Checkpoint SSL Network Externder

the_rock — Fri, 02 Feb 2024 02:22:45 GMT

What do you have configured as dns suffix in remote access gateway settings (if any)?

Andy

Re: DNS Resolution in Checkpoint SSL Network Externder

rolandk — Fri, 02 Feb 2024 14:02:12 GMT

> When connect to SNX from Mac OS X, name resolution fails because it does not use the Office Mode IP address for DNS Server. Instead, it uses the DNS setting from Mac OS X.

> Traffic capture on Mac OS X shows that DNS traffic leaves the physical interface instead of SNX (utun0).

> The issue only happens in DHCP environment, in which the Mac OS X machine obtains the IP address and DNS configuration from the DHCP Server.

that does not apply for us, as snx changes the dns server to the customers dns server and so local name resulution in the office won't work anymore.

we need per-domain resolution with split dns like in viscosity.

Re: DNS Resolution in Checkpoint SSL Network Externder

rolandk — Fri, 02 Feb 2024 14:03:21 GMT

we do not have access to access gateway settings, as it is owned by customer

Re: DNS Resolution in Checkpoint SSL Network Externder

the_rock — Fri, 02 Feb 2024 14:06:22 GMT

This is what Im referring to

Andy

Re: DNS Resolution in Checkpoint SSL Network Externder

PhoneBoy — Thu, 08 Feb 2024 23:22:36 GMT

Like I said, you may need a hotfix for this, which is mentioned in the SK I linked to.
If your customer supports it, you can also use Endpoint Security VPN client to connect on macOS, which works correctly in this scenario.

Re: DNS Resolution in Checkpoint SSL Network Externder

JH_Ranger — Mon, 04 Mar 2024 02:07:50 GMT

I am not sure about MacOS, but in Windows, you can assign each interface a priority. The DNS server for the interface with the highest priority is used for all lookups. When you connect to SNX, it promotes the metric of that adapter (routing your DNS requests through the new CheckPoint Virtual Network adapter) to 1, but keeps the other connections at a higher value (e.g. 25, but you can check that by listing the routing table on the host).

If you want to use the DNS server on the LAN whilst connected to SNX, you could either promote that interface by giving it a lower metric, or you could manually configure the SNX Virtual Network Adapter to use your DNS server.

If you want to resolve your DNS selectively (based on target domain), you could use a DNS intercept tool, which intercepts DNS queries at the system level, and directs them to the appropriate DNS servers based on a set of predefined rules. I think on MAC, you may even be able to use DNSMASQ.