cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

DNS flag day and DNS inspection

DNS flag day 

If there is a problem, the ednscomp tool displays an explanation for each failed test. Failures in these tests are typically caused by:

  • broken DNS software
  • broken firewall configuration

Firewalls must not drop DNS packets with EDNS extensions, including unknown extensions. 

How to prevent this impact on CheckPoint firewall ?

5 Replies
Admin
Admin

Re: DNS flag day and DNS inspection

I ran this test from behind a Check Point gateway running IPS Optimized profile.

I also checked some other domains and got different results.

What specific results are you seeing?

0 Kudos

Re: DNS flag day and DNS inspection

I have concern about firewall will drop reply packet more than 512 bytes.

0 Kudos
Admin
Admin

Re: DNS flag day and DNS inspection

As I said, I used the aforementioned site thru a Check Point gateway configured with an IPS Optimized profile and did not see any errors/drops in the logs.

I also saw results that varied depending on the domain I was checking, so I assume these checks are not being blocked.

If you have evidence otherwise, please provide it (exact domains, screenshots of logs, etc).

To the question you asked about the size of DNS packets, there is an Inspection Setting (IPS in R77.30 and earlier) called DNS Maximum Request Length.

This is set to Inactive by default (at least in R80.20).

Re: DNS flag day and DNS inspection

Thank you Dameon.

0 Kudos
Employee+
Employee+

Re: DNS flag day and DNS inspection

As you correctly pointed, one of the reasons for this to fail is a DNS server not updated accordingly. This is surely the most probably reason.

But if I'm not wrong...

The second option you say is also possible. If you're using R77.30 prior JHFA 345 (or an earlier major version), a Security Gateway with IPS enabled and the protection "Non Compliant DNS" set to Prevent may drop the EDNS queries to/from a corporate DNS server. If the protection status is set to Detect or Inactive, then it would not drop it.

Note that, in R77.30, there are two predefined profiles and this protection is set to Prevent by default in the "Recommended Profile".

This does not happen with R80.10 gateways, whatever the status of the "Non Compliant DNS" protection is. So, in case you're using R77.30 and have this protection in Prevent, you should change it to Detect, or to upgrade the Security Gateway. More info about this last option in the sk112578.

So, please check before 1st February if your DNS servers and also your infraestructure is prepared for this change (there is a test option in the link you've sent, 2019 | DNS flag day )