cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Ben_Fung
Nickel

FQDN and Domain Objects in R80.10 when DNS server fail?

In FQDN and Domain Objects in R80.10, if DNS server fails for DNS query it will affect the overall operation of checkpoint firewall? I remember that on R77, it will be affect if fail DNS query, the below rule will be fail too.

21 Replies

Re: FQDN and Domain Objects in R80.10 when DNS server fail?

No it won't as DNS queries are executed in the background and cached every 30 seconds. I'm guessing in case you have a total DNS outrage for long period of time, DNS cache will last for each records TTL and then simply will time out and that rule simply won't work. But it won't affect other rules nor slow down the gateway

I believe it's one of the best hidden gems in R80.10!

More in Domain Objects in R80.10 and above 

Re: FQDN and Domain Objects in R80.10 when DNS server fail?

Hello ,

Just want to check do we need to enable Application blade in R80.10  to use this feature for adding rules base allowing FQDN object?

Re: FQDN and Domain Objects in R80.10 when DNS server fail?

dont think so , but you will need to check the checkbox "FQDN" on the domain object and the FW must be R80.10+

otherwise the GW will use the "OLD" mechanism 

Re: FQDN and Domain Objects in R80.10 when DNS server fail?

Nope, you don't need to do that. It works straight out of the box

Re: FQDN and Domain Objects in R80.10 when DNS server fail?

Kaspars Zibarts escreveu:

No it won't as DNS queries are executed in the background and cached every 30 seconds.

Do you know where to look for these DNS entries?

I had a look in some tables through fw tab -t but didnt found what im looking for.

Thanks in advance.

0 Kudos

Re: FQDN and Domain Objects in R80.10 when DNS server fail?

Actually no I haven't had time to dig into it  

0 Kudos

Re: FQDN and Domain Objects in R80.10 when DNS server fail?

Thks Kaspars,

Just for the sharing purpose:

I found it in a sk90401...

How can the cache be viewed for troubleshooting?

There are 2 kernel tables. Run:

  • fw tab -t dns_reverse_cache_tbl -u
  • fw tab -t dns_reverse_unmatched_cache -u

... but the mentioned tables are not present... (table xxx not loaded: Invalid argument)

fw tab -s | grep dns_reverse dont show any also.

0 Kudos

Re: FQDN and Domain Objects in R80.10 when DNS server fail?

Coming back to this.
the sk mentioned has a bit of a confusing layout.

however I now believe that all text after the line: Changes in Domain Objects since R80.10

is only applicable to r80.10 and above.
so the tables you list exist only in r80.10( I verified this by running the commands on:

r77.30, r80.10 and r80.20 devices.

on 80.10 and 80.20 an output is given. even if the table is empty( jsut the headers then)

on r77.30 you get the default reply for a non-existing table.

question is: I found some info explaining that pre r80.10. the firewall was also capable of caching the dns lookups.
however it's not in the above mentioned tables. then where can we query this?

as I have someone who has the same question:
we use domain objects in r77.30, are aware of the impact/risks. but wan't to see the cached info.

upgrade to r80.x is planned but in the meantime where can we find this info.

Re: FQDN and Domain Objects in R80.10 when DNS server fail?

Dameon Welch-Abernathy‌ could you check internally if this is publicly available info where FQDN objects are cached (tables?) and how to fetch it? Thanks!

0 Kudos
Highlighted
Admin
Admin

Re: FQDN and Domain Objects in R80.10 when DNS server fail?

It's not documented in SK anywhere, but I believe the table is called domain_cache.

Re: FQDN and Domain Objects in R80.10 when DNS server fail?

Yeah, i was searching for different options like "name, dns, ns, chache" but nothing really seems to fit. For example I know we use it extensively on this VS but suggested table is zero in size Smiley Sad

[Expert@vsx:6]# fw tab -s -t domain_cache
HOST NAME ID #VALS #PEAK #SLINKS
localhost domain_cache 8190 0 0 0

0 Kudos
Admin
Admin

Re: FQDN and Domain Objects in R80.10 when DNS server fail?

This name was suggested by various CFG and TAC SRs, which leads me to believe it is correct.

0 Kudos

Re: FQDN and Domain Objects in R80.10 when DNS server fail?

Ok, had to do a bit of reverse engineering. Played with VSX VS0 and CMA that manages it and had zero domain objects.

What it looks like the table name is dns_reverse_domains_tbl as it was empty before I started:

then I added abc.com as a domain object and these 3 entries were populated in the table, but I haven't managed to crack it yet as IP in HEX would be c7 b5 84 fa

Once domain object was removed, table was empty again.

Re: FQDN and Domain Objects in R80.10 when DNS server fail?

Found the other table dns_reverse_cache_tbl with IP, still have no full logic explanation though Smiley Happy

IP in red

UID for domain object  "0b498363-b2d3-44bd-862e-354cd7a48aa9"

Ankur_Datta
Nickel

Re: FQDN and Domain Objects in R80.10 when DNS server fail?

Hi Kaspars,

How can we clear the dns cache table? 

i was doing some test with domain object and want to clear the cache table.

Thanks

0 Kudos

Re: FQDN and Domain Objects in R80.10 when DNS server fail?

you may try at your own risk  the usual table purge option: -x at the end:

fw tab -t dns_reverse_cache_tbl -x

Re: FQDN and Domain Objects in R80.10 when DNS server fail?

Adam Forester‌ what would be command on r80.20?

Since printing is done via 

"fw ctl multik print_bl dns_reverse_cache_tbl"

0 Kudos

Re: FQDN and Domain Objects in R80.10 when DNS server fail?

Adam Forester‌ is there easy way to match object UID to cached entry?

0 Kudos

Re: FQDN and Domain Objects in R80.10 when DNS server fail?

I wrote a script that would do it but reverse wasn't always working since I only had IP and it was a bit wonky... I'm going to ask my contacts internally to see what I can find.

Ni_c
Nickel

Re: FQDN and Domain Objects in R80.10 when DNS server fail?

Adding to above answer..in R80.10 secure XL templates will be applied for Domain rules So there is no more performance impact with Domain rules on R80.10 gateways, being said that we can even write them on top of the rule base.

Re: FQDN and Domain Objects in R80.10 when DNS server fail?

Hello, before you using this feature I strongly recommend you read https://community.checkpoint.com/docs/DOC-3476-domain-objects-fqdn-an-unofficial-atrg?sr=inbox&ru=44... 

Regards.

Alessandro

0 Kudos