This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
johnnyringo
Advisor
‎2023-05-09 09:21 AM

DNS resolver support?

Pretty sure the answer is 'no', but does Checkpoint offer a DNS resolver service on their firewall/gateway products that I'm not aware of?   To be clear, I'm just talking a "forwarding" or "cache only" DNS server that can selectively forward certain queries to other internal DNS servers.  It does not need to be authoritative or even do recursive lookups.  

Palo Alto has offered this feature for at least 5 years called "DNS proxy", which is very useful for hybrid cloud scenarios where private DNS resolution is a requirement.  To my knowledge, the are the only vendor with a service like this.  

0 Kudos
18 Replies
the_rock
Legend
Legend
‎2023-05-09 09:43 AM

I believe Cisco Umbrella is similar offering. To my knowledge, never heard of something like that on CP.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-05-09 09:47 AM

Not sure if this might be it, will read up on it after

https://sc1.checkpoint.com/documents/SMB_R80.20/AdminGuides/Locally_Managed/EN/Content/Topics/Config....

0 Kudos
johnnyringo
Advisor
‎2023-05-09 11:45 AM
In response to the_rock

Huh interesting.  Seems like it would forward all DNS queries though, which in this specific case I want to avoid (i.e. i only want 'example.internal" to be forwarding to internal DNS servers, with all other queries going to the default DNS server.  

0 Kudos
the_rock
Legend
Legend
‎2023-05-09 11:52 AM
In response to johnnyringo

Right...oddly enough, I could not find similar process for regular Gaia, so not sure it even exists, but maybe someone else can confirm.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-05-09 11:54 AM
In response to johnnyringo

Quickly checked clish and I see below option, but dont believe this would help in your case either...?

Andy

quantum-firewall> set dns proxy forwarding-domain
DNS Forwarding Domains:
DNS queries in a forwarding domain can be forwarded to specific DNS servers.
A forwarding domain consists of a domain suffix and 3 DNS servers.
DNS queries ending with the domain's suffix will be forwarded to the domain's DNS servers.

quantum-firewall> set dns proxy forwarding-domain

 

0 Kudos
Wolfgang
Authority
Authority
‎2023-05-09 12:52 PM
In response to the_rock

@the_rock the mentioned feature is possible with VSX and as I know not available in normal GAiA

Working with Virtual Systems chapter „configuring DNS server for a virtual system“

the_rock
Legend
Legend
‎2023-05-09 12:57 PM
In response to Wolfgang

Thanks for pointing that out @Wolfgang , good to know.

Andy

0 Kudos
emmap
Employee
Employee
‎2023-05-09 06:57 PM

DNS forwarding is only supported on the Spark range. If you need it on Quantum, please raise an RFE.

0 Kudos
johnnyringo
Advisor
‎2023-05-09 07:01 PM
In response to emmap

Or I could buy a Palo Alto and actually have the features I want right now.   

Just sayin'

(1)
the_rock
Legend
Legend
‎2023-05-09 07:56 PM
In response to johnnyringo

As I like to say...I dont disagree with you, meaning, I AGREE with you 😉

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2023-05-10 09:09 AM

Gaia includes dnsmasq as part of the installation, which I believe can serve this function.
This is from a while ago, but it should still mostly be applicable.
See: https://phoneboy.org/2014/09/02/fun-with-check-point-dynamic-ip-gateways-in-r77-dot-20-with-gaia/ 

Note this is not formally supported.
If you require formal support, please raise an RFE with your local Check Point office. 

0 Kudos
Wolfgang
Authority
Authority
‎2023-05-10 11:40 AM
In response to PhoneBoy

This solution only works for embedded GAiA gateways. It's too mentioned by @KennyManrique in this older thread https://community.checkpoint.com/t5/SMB-Gateways-Spark/DNS-forwarding-for-internal-domain/m-p/69380#

Every year since the last 5 years I created a feature request for this. Maybe it will be available in the next decade...

PhoneBoy
Admin
Admin
‎2023-05-10 11:44 AM
In response to Wolfgang

I've used it on Gaia (not embedded) gateways and it works.
Granted, this wasn't recent, but I do see that dnsmasq is still present in R81.20 and have no reason to believe it wouldn't work with a similar configuration.

That's not the same as fully supported, of course (which requires an RFE).

Wolfgang
Authority
Authority
‎2023-05-10 12:03 PM
In response to PhoneBoy

Available on „real“ GAiA, this sounds really good Dameon. Never checked this out.

0 Kudos
the_rock
Legend
Legend
‎2023-05-10 12:17 PM
In response to Wolfgang

I did test this in my R81.20 lab and it did work. But, lets be honest here...if someone did it in production and it broke, TAC would never help them, as its not officially supported and as we all know, RFE can take weeks, months, years...maybe more, who knows.

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2023-05-10 12:18 PM

Hi @johnnyringo,

DNS server is not supported on a GAIA gateway. RFE will take too long 🙂
But the following SK can help you. Maybe in your case it is possible to solve this via DNS NAT.

How to configure DNS NAT (sk34295) 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
the_rock
Legend
Legend
‎2023-05-10 12:22 PM
In response to HeikoAnkenbrand

Had customer who wanted to do this couple of years ago, we had TAC case going for 4 months, went nowhere, so client gave up on it. Not sure if anyone made it work before, but we must have spent at least 20-25 hours on the phone with support trying to make this work and nothing.

0 Kudos
N_Desrochers
Explorer
‎2023-08-08 10:37 AM
In response to the_rock

I use it on VSX in R81.10 and works

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_VSX_AdminGuide/Topics-VSXG/Working...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events