https://community.checkpoint.com/t5/SASE-and-Remote-Access/Is-it-possible-to-override-DNS-Proxy-or-create-exlusions/m-p/129966#M8036 <P>DNS Proxy follows the NAT rulebase.<BR />So...if you want to create exclusions, you would configure them as NAT rules.<BR /><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk34295" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk34295</A>&nbsp;</P> Wed, 22 Sep 2021 15:41:57 GMT PhoneBoy 2021-09-22T15:41:57Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Is-it-possible-to-override-DNS-Proxy-or-create-exlusions/m-p/129756#M8035 <P>Hello together ...</P><P>&nbsp;</P><P>as a seperate post to this thread:<BR /><A href="https://community.checkpoint.com/t5/Security-Gateways/ISP-redundancy-and-DNS-records-for-Web-Servers-in-DMZ/m-p/110929&quot;" target="_blank" rel="noopener">https://community.checkpoint.com/t5/Security-Gateways/ISP-redundancy-and-DNS-records-for-Web-Servers-in-DMZ/m-p/110929</A></P><P>Is it possible to exclude IP ranges or VPN or perhapes special suffixes from DNS proxy ???<BR />Since all DNS requests passing an external interface are always catched by the gateway ... its often bad to get only the external DNS responses when the internal DNS addresses are required ...&nbsp; (Split DNS behavior)&nbsp;</P><P data-unlink="true">since <STRONG>sk23630</STRONG> describes a script,&nbsp; perhaps there are commands for exclusions?<BR /><BR /><SPAN># Start of dbedit script</SPAN><BR /><SPAN>#####################</SPAN><BR /><SPAN># Activate the DNS feature</SPAN><BR /><SPAN>modify network_objects corporate-gw firewall_setting::misp_dns_active true</SPAN><BR /><SPAN>#####################</SPAN><BR /><SPAN># Add the first entry (www.example.com, 192.168.1.80, 172.16.2.80)</SPAN><BR /><SPAN>create misp_dns_entry tmp_name</SPAN><BR /><SPAN>modify owned tmp_name misp_host_name www.example.com</SPAN><BR /><SPAN>addelement owned tmp_name misp_dns_addresses 192.168.1.80</SPAN><BR /><SPAN>addelement owned tmp_name misp_dns_addresses 172.16.2.80</SPAN><BR /><SPAN>add_owned_remove_name network_objects corporate-gw firewall_setting:misp_dns_entries owned:tmp_name</SPAN><BR /><SPAN>delete owned tmp_name</SPAN><BR /><SPAN>#####################</SPAN><BR /><SPAN># Add the second entry (ftp.example.com, 192.168.1.21, 172.16.2.21)</SPAN><BR /><SPAN>create misp_dns_entry tmp_name</SPAN><BR /><SPAN>modify owned tmp_name misp_host_name ftp.example.com</SPAN><BR /><SPAN>addelement owned tmp_name misp_dns_addresses 192.168.1.21</SPAN><BR /><SPAN>addelement owned tmp_name misp_dns_addresses 172.16.2.21</SPAN><BR /><SPAN>add_owned_remove_name network_objects corporate-gw firewall_setting:misp_dns_entries owned:tmp_name</SPAN><BR /><SPAN>delete owned tmp_name</SPAN><BR /><SPAN>#####################</SPAN><BR /><SPAN># Update the object</SPAN><BR /><SPAN>update network_objects corporate-gw</SPAN><BR /><SPAN>quit</SPAN><BR /><SPAN>#####################</SPAN><BR /><SPAN># end of dbedit script</SPAN><BR /><SPAN>#####################</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>maybe someone has an idea?</P><P>&nbsp;</P><P>best regards<BR />Thomas</P> Mon, 20 Sep 2021 13:15:26 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Is-it-possible-to-override-DNS-Proxy-or-create-exlusions/m-p/129756#M8035 Thomas_Eichelbu 2021-09-20T13:15:26Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Is-it-possible-to-override-DNS-Proxy-or-create-exlusions/m-p/129966#M8036 <P>DNS Proxy follows the NAT rulebase.<BR />So...if you want to create exclusions, you would configure them as NAT rules.<BR /><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk34295" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk34295</A>&nbsp;</P> Wed, 22 Sep 2021 15:41:57 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Is-it-possible-to-override-DNS-Proxy-or-create-exlusions/m-p/129966#M8036 PhoneBoy 2021-09-22T15:41:57Z