topic Re: 2M DNS queries per day via vpn for about 1k fqdn - 1900+ each in Spark Firewall (SMB)

2M DNS queries per day via vpn for about 1k fqdn - 1900+ each

chrominek — Wed, 11 Dec 2024 10:06:11 GMT

Hi!

No user activity, no security blades, only "baby vpn". All over the clock, regardless of the user activity, over the vpn are sent dns queries. Quantum Spark 1570 Appliance R81.10.10 (996002993)

For the last 24 hours it looks like this:

... | stats dc(query) as distinct_query_count -> 923

...

Counts for each FQDN are similar, around 1900. FQDNs are mixed.

Looks like not related to any user traffic (tcpdump not showing any activity nor any dns queries on the internal interfaces).

Looks like autogenerated by gateway itself - almost 2M queries/day.

Some fgdns are "grepable" in prfm2.0, some not.

Why at all, why this FQDN-s (923 for the last 24 h), why every 45s (24*3600/1900 =~45) ?

Andrzej

Re: 2M DNS queries per day via vpn for about 1k fqdn - 1900+ each

PhoneBoy — Wed, 11 Dec 2024 15:28:38 GMT

What does your access policy look like?
If you're using any FQDN objects or Updatable Objects, we need to resolve those DNS domains to IP addresses, thus the gateway will need to issue DNS requests.

Re: 2M DNS queries per day via vpn for about 1k fqdn - 1900+ each

chrominek — Thu, 12 Dec 2024 10:33:29 GMT

Hello,

Thx for response. The policy is simple - everything into the tunnel ( 2 rules - one for private networks and the second for all others ) and reverse - only selected, private subnets (mostly mgmt). IoT is disabled, dynamic objects are not used - an old days classic policy ;-). Anyway, if using over fibers - no big problem. But over wireless networks 2M dns queries a day ( dns + ESP is about about 50 bytes ) uses 100 MB/day for nothing and 3GB per month. There is nothing dynamic in this vpn gateway. How to disable this DNS queries? Maybe somebody knows?

Andrzej

Re: 2M DNS queries per day via vpn for about 1k fqdn - 1900+ each

Lesley — Thu, 12 Dec 2024 11:01:06 GMT

Is the gateway maybe set as dns server for the clients? Maybe on accident? What if you run ipconfig on a few to verify this

Re: 2M DNS queries per day via vpn for about 1k fqdn - 1900+ each

Dafna — Thu, 12 Dec 2024 11:21:41 GMT

Can you please try to turn off smart accel ?

Re: 2M DNS queries per day via vpn for about 1k fqdn - 1900+ each

chrominek — Thu, 12 Dec 2024 11:23:16 GMT

No. No dns queries from any client, Every 45 seconds each of the 935 FQDNs is beeing resolved (gateway sends requests to the DNS server, asking for it)

Re: 2M DNS queries per day via vpn for about 1k fqdn - 1900+ each

chrominek — Thu, 12 Dec 2024 11:53:00 GMT

I will try fwaccel off ...

Re: 2M DNS queries per day via vpn for about 1k fqdn - 1900+ each

PhoneBoy — Thu, 12 Dec 2024 15:21:42 GMT

The only other things I can think of that MIGHT trigger DNS queries are Fast Accel (disabled by default) and SD-WAN (enabled by default).
Both of these are under Access Control > Firewall.
In any case, your best bet is to engage TAC so we can investigate.

Re: 2M DNS queries per day via vpn for about 1k fqdn - 1900+ each

Dafna — Sun, 15 Dec 2024 06:46:10 GMT

Hi please try to turn off smart accel via webUI (under Access Policy-->Fast Accel)

Re: 2M DNS queries per day via vpn for about 1k fqdn - 1900+ each

G_W_Albrecht — Tue, 17 Dec 2024 14:03:24 GMT

I have a workaround for you that had been tested at a customers.

To achieve this, you can add the following commands into userScript file:

# cpwd_admin stop -name WSDNSD
# cpwd_admin detach -name WSDNSD

No DNS queries will be sent when this is set - just test it on-the-fly using the commands on CLI!

This WSDNSD behaviour was internally considered a bug by R&D (WSDNS is used as DNS resolver when the appliance is used as a HTTP/HTTPS proxy and WSDNSD makes requests for smartAccel, but it does the same requests even if both HTTP/HTTPS proxy and smartAccel is not used/disabled), but i am not sure if this has already been fixed in current firmware...

The case in which this information has been collected was resolved by using internal objects in WebGUI - if you define FQDN objects as object something.com 8.8.8.8, no DNS request for this FQDN will be sent, but it will make more sense to disable WSDNSD than to define 935 internal objects here...

Re: 2M DNS queries per day via vpn for about 1k fqdn - 1900+ each

chrominek — Wed, 18 Dec 2024 08:10:31 GMT

Thank you very much!

WSDNSD works immediately! Talking about a userscript you think to schedule it into the SystemManagement/Scheduler? I guess it should be executed by example 5 minutes after boot, until the fixed firmware release/upgrade?

Re: 2M DNS queries per day via vpn for about 1k fqdn - 1900+ each

G_W_Albrecht — Wed, 18 Dec 2024 08:49:14 GMT

No, this is a 15x0x applance = SMB: https://support.checkpoint.com/results/sk/sk52520

SMBs use the userScript file to call custome commands during startup, so this is the place for the two lines !

Give a Kudo if you like my post...

Re: 2M DNS queries per day via vpn for about 1k fqdn - 1900+ each

G_W_Albrecht — Thu, 19 Dec 2024 08:08:30 GMT

I would rather not call this a solution but a workaround only ! I had been rather upset that R&D did not want to fix it.

Re: 2M DNS queries per day via vpn for about 1k fqdn - 1900+ each

G_W_Albrecht — Tue, 07 Jan 2025 10:28:33 GMT

As i wrote above, R&D called this a bug but was not willing to fix that for the firmware showing the issue...

Re: 2M DNS queries per day via vpn for about 1k fqdn - 1900+ each

chrominek — Tue, 07 Jan 2025 10:49:49 GMT

Works perfect, but after any GUI changes the WSDNSD service is restarted . Cron - each 15 minutes stop this service? Is it possible to disable it permanently? Or the scheduler is the last hope? From GUI or to try cli?

https://blog.spikefishsolutions.com/2016/04/enabling-cron-scheduling-services-on.html

https://community.checkpoint.com/t5/SMB-Gateways-Spark/Perform-scheduled-scripted-tasks-on-SMB-devices-without-using/td-p/40054

https://community.checkpoint.com/t5/Management/Job-Scheduler-to-stop-and-start-the-wsdnsd-process-on-Gaia-R80/td-p/94124

Re: 2M DNS queries per day via vpn for about 1k fqdn - 1900+ each

G_W_Albrecht — Tue, 07 Jan 2025 10:58:09 GMT

Strange - if WSDNSD service is detached from Watchdog at boot time, i would not expect this to happen!

Other alternative suggested by R&D was

watch -n 30 "$FWDIR/bin/cpwd_admin stop -name WSDNSD > /dev/null" &

This also should go into userScript and kills WSDNSD every 30s...