Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ben_Fung
Contributor

FQDN and Domain Objects in R80.10 when DNS server fail?

In FQDN and Domain Objects in R80.10, if DNS server fails for DNS query it will affect the overall operation of checkpoint firewall? I remember that on R77, it will be affect if fail DNS query, the below rule will be fail too.

21 Replies
Kaspars_Zibarts
Employee Employee
Employee

No it won't as DNS queries are executed in the background and cached every 30 seconds. I'm guessing in case you have a total DNS outrage for long period of time, DNS cache will last for each records TTL and then simply will time out and that rule simply won't work. But it won't affect other rules nor slow down the gateway

I believe it's one of the best hidden gems in R80.10!

More in Domain Objects in R80.10 and above 

Atul_Mahadik
Explorer

Hello ,

Just want to check do we need to enable Application blade in R80.10  to use this feature for adding rules base allowing FQDN object?

Dor_Marcovitch
Advisor

dont think so , but you will need to check the checkbox "FQDN" on the domain object and the FW must be R80.10+

otherwise the GW will use the "OLD" mechanism 

Kaspars_Zibarts
Employee Employee
Employee

Nope, you don't need to do that. It works straight out of the box

Bruno_Petronio
Contributor

Kaspars Zibarts escreveu:

No it won't as DNS queries are executed in the background and cached every 30 seconds.

Do you know where to look for these DNS entries?

I had a look in some tables through fw tab -t but didnt found what im looking for.

Thanks in advance.

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

Actually no I haven't had time to dig into it  

0 Kudos
Bruno_Petronio
Contributor

Thks Kaspars,

Just for the sharing purpose:

I found it in a sk90401...

How can the cache be viewed for troubleshooting?

There are 2 kernel tables. Run:

  • fw tab -t dns_reverse_cache_tbl -u
  • fw tab -t dns_reverse_unmatched_cache -u

... but the mentioned tables are not present... (table xxx not loaded: Invalid argument)

fw tab -s | grep dns_reverse dont show any also.

0 Kudos
Tommie_Van_Hove
Participant

Coming back to this.
the sk mentioned has a bit of a confusing layout.

however I now believe that all text after the line: Changes in Domain Objects since R80.10

is only applicable to r80.10 and above.
so the tables you list exist only in r80.10( I verified this by running the commands on:

r77.30, r80.10 and r80.20 devices.

on 80.10 and 80.20 an output is given. even if the table is empty( jsut the headers then)

on r77.30 you get the default reply for a non-existing table.

question is: I found some info explaining that pre r80.10. the firewall was also capable of caching the dns lookups.
however it's not in the above mentioned tables. then where can we query this?

as I have someone who has the same question:
we use domain objects in r77.30, are aware of the impact/risks. but wan't to see the cached info.

upgrade to r80.x is planned but in the meantime where can we find this info.

Kaspars_Zibarts
Employee Employee
Employee

Dameon Welch-Abernathy‌ could you check internally if this is publicly available info where FQDN objects are cached (tables?) and how to fetch it? Thanks!

0 Kudos
PhoneBoy
Admin
Admin

It's not documented in SK anywhere, but I believe the table is called domain_cache.

Kaspars_Zibarts
Employee Employee
Employee

Yeah, i was searching for different options like "name, dns, ns, chache" but nothing really seems to fit. For example I know we use it extensively on this VS but suggested table is zero in size Smiley Sad

[Expert@vsx:6]# fw tab -s -t domain_cache
HOST NAME ID #VALS #PEAK #SLINKS
localhost domain_cache 8190 0 0 0

0 Kudos
PhoneBoy
Admin
Admin

This name was suggested by various CFG and TAC SRs, which leads me to believe it is correct.

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

Ok, had to do a bit of reverse engineering. Played with VSX VS0 and CMA that manages it and had zero domain objects.

What it looks like the table name is dns_reverse_domains_tbl as it was empty before I started:

then I added abc.com as a domain object and these 3 entries were populated in the table, but I haven't managed to crack it yet as IP in HEX would be c7 b5 84 fa

Once domain object was removed, table was empty again.

Kaspars_Zibarts
Employee Employee
Employee

Found the other table dns_reverse_cache_tbl with IP, still have no full logic explanation though Smiley Happy

IP in red

UID for domain object  "0b498363-b2d3-44bd-862e-354cd7a48aa9"

Ankur_Datta
Collaborator

Hi Kaspars,

How can we clear the dns cache table? 

i was doing some test with domain object and want to clear the cache table.

Thanks

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

you may try at your own risk  the usual table purge option: -x at the end:

fw tab -t dns_reverse_cache_tbl -x

Martin_Valenta
Advisor

Adam Forester‌ what would be command on r80.20?

Since printing is done via 

"fw ctl multik print_bl dns_reverse_cache_tbl"

0 Kudos
Martin_Valenta
Advisor

Adam Forester‌ is there easy way to match object UID to cached entry?

0 Kudos
Adam_Forester
Ambassador
Ambassador

I wrote a script that would do it but reverse wasn't always working since I only had IP and it was a bit wonky... I'm going to ask my contacts internally to see what I can find.

Ni_c
Contributor

Adding to above answer..in R80.10 secure XL templates will be applied for Domain rules So there is no more performance impact with Domain rules on R80.10 gateways, being said that we can even write them on top of the rule base.

Alessandro_Marr
Advisor

Hello, before you using this feature I strongly recommend you read https://community.checkpoint.com/docs/DOC-3476-domain-objects-fqdn-an-unofficial-atrg?sr=inbox&ru=44... 

Regards.

Alessandro

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events