This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Di_Junior
Advisor
Advisor
‎2019-03-29 01:52 AM

Check Point Next Generation Firewall in Front of Públic DNS

Dear Mates 

 

We recently bought a new DNS solution which will be used as our public server. The solution comes with security features to protect the server from different type of attacks (see  attachec picture ).

We are in the process of deciding whether you should put it behind our Next Generation Firewall or not. So, I would like to ask based on your experience which solution is appropriate and why. The solutions are mentioned bellow:

1. DNS server exposed directly on the internet relying on its security features (see attached picture)

2. Next Generation Firewall (Check Point) in front of the public DNS server

 

What are the benefits of one solution in detriment of the other. Which set up would you advise us to follow.

 

Thanks in Advance

 

 

 

 

DNS.PNG
Preview file
175 KB
0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2019-03-29 06:34 AM

There are various IPS protections related to DNS you can leverage when you put the DNS server behind a Check Point gateway.
Not to mention you can use policy to limit poking and prodding on other ports.
0 Kudos
Vladimir
Champion
Champion
‎2019-03-29 07:39 AM

Apologies, but I would like to ask you a conceptual question:

Why would you expect incoming DNS queries to your on-premises public DNS server?

Typically, you'd host your public DNS locally when using it as a stealth master and replicate zones to the cloud hosted DNS providers. Those are then used to actually take hits from the outside.

Take a look here for instance: https://www.infoworld.com/article/2629086/why-you-should-use-stealth-master-dns.html

If this is the design you are working towards, then yes, place the DNS behind firewall and permit only zone replication to the cloud-based secondaries.

 

Regards,

Vladimir

0 Kudos
Di_Junior
Advisor
Advisor
‎2019-03-29 08:02 AM
In response to Vladimir

Hi Vladimir

We provide DNS services to some of our enterprise clients as well. And So we expect them to come to our public DNS server. Thats why we expect DNS queries from them.

Regards
Dialungana Malungo
0 Kudos
Vladimir
Champion
Champion
‎2019-03-29 08:11 AM
In response to Di_Junior

It is a normal utilization of the public DNS, except by offloading your secondary zones to the cloud-based DNS services, you are removing the possibility of someone DDoSing your on-premises server.

Serving DNS directly from your master on-premises server creates two issues:

1. latency. Whoever will be trying to resolve your public addresses has to get the responses from your server, regardless of where they are located. In cloud-based secondaries, they will get the resolution from closest geographically located pool.

2. Susceptibility to denial of service: because this is the single server seating behind your ISP, simply querying it repeatedly may slow-down legitimate queries.

Perhaps there are some cases where it makes sense, but the reasons got to be justified.

Wolfgang
Authority
Authority
‎2019-03-29 10:36 AM
In response to Vladimir

I fully agree with Vladimir, hosting DNS locally and answering DNS queries direct from this isn't a good solution.

Let one of the DNS providers in the cloud answer your clients queries. They are well prepared for DDOS attacks, reliability all over the world and gives you a very good availability. You can get the same level of service with your local environment only with a lot of hardware, ISP-lines and a lot of work to do. 

Maybee you need this local, but review your solution. We did the same thing for our clients and this working well with transfering the DNS-zones from us to the public cloud DNS-providers.

Wolfgang

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top