- Local User Groups
In FQDN and Domain Objects in R80.10, if DNS server fails for DNS query it will affect the overall operation of checkpoint firewall? I remember that on R77, it will be affect if fail DNS query, the below rule will be fail too.
No it won't as DNS queries are executed in the background and cached every 30 seconds. I'm guessing in case you have a total DNS outrage for long period of time, DNS cache will last for each records TTL and then simply will time out and that rule simply won't work. But it won't affect other rules nor slow down the gateway
I believe it's one of the best hidden gems in R80.10!
Just want to check do we need to enable Application blade in R80.10 to use this feature for adding rules base allowing FQDN object?
dont think so , but you will need to check the checkbox "FQDN" on the domain object and the FW must be R80.10+
otherwise the GW will use the "OLD" mechanism
Kaspars Zibarts escreveu:
No it won't as DNS queries are executed in the background and cached every 30 seconds.
Do you know where to look for these DNS entries?
I had a look in some tables through fw tab -t but didnt found what im looking for.
Thanks in advance.
Just for the sharing purpose:
I found it in a sk90401...
How can the cache be viewed for troubleshooting?
There are 2 kernel tables. Run:
- fw tab -t dns_reverse_cache_tbl -u
- fw tab -t dns_reverse_unmatched_cache -u
... but the mentioned tables are not present... (table xxx not loaded: Invalid argument)
fw tab -s | grep dns_reverse dont show any also.
Coming back to this.
the sk mentioned has a bit of a confusing layout.
however I now believe that all text after the line: Changes in Domain Objects since R80.10
is only applicable to r80.10 and above.
so the tables you list exist only in r80.10( I verified this by running the commands on:
r77.30, r80.10 and r80.20 devices.
on 80.10 and 80.20 an output is given. even if the table is empty( jsut the headers then)
on r77.30 you get the default reply for a non-existing table.
question is: I found some info explaining that pre r80.10. the firewall was also capable of caching the dns lookups.
however it's not in the above mentioned tables. then where can we query this?
as I have someone who has the same question:
we use domain objects in r77.30, are aware of the impact/risks. but wan't to see the cached info.
upgrade to r80.x is planned but in the meantime where can we find this info.
Yeah, i was searching for different options like "name, dns, ns, chache" but nothing really seems to fit. For example I know we use it extensively on this VS but suggested table is zero in size
[Expert@vsx:6]# fw tab -s -t domain_cache
HOST NAME ID #VALS #PEAK #SLINKS
localhost domain_cache 8190 0 0 0
Ok, had to do a bit of reverse engineering. Played with VSX VS0 and CMA that manages it and had zero domain objects.
What it looks like the table name is dns_reverse_domains_tbl as it was empty before I started:
then I added abc.com as a domain object and these 3 entries were populated in the table, but I haven't managed to crack it yet as IP in HEX would be c7 b5 84 fa
Once domain object was removed, table was empty again.
Found the other table dns_reverse_cache_tbl with IP, still have no full logic explanation though
IP in red
UID for domain object "0b498363-b2d3-44bd-862e-354cd7a48aa9"
How can we clear the dns cache table?
i was doing some test with domain object and want to clear the cache table.
I wrote a script that would do it but reverse wasn't always working since I only had IP and it was a bit wonky... I'm going to ask my contacts internally to see what I can find.
Adding to above answer..in R80.10 secure XL templates will be applied for Domain rules So there is no more performance impact with Domain rules on R80.10 gateways, being said that we can even write them on top of the rule base.