This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Thomas_Eichelbu
Advisor
Advisor
‎2021-09-20 02:07 AM

Is it possible to override DNS Proxy or create exlusions?

Hello together ...

 

as a seperate post to this thread:
https://community.checkpoint.com/t5/Security-Gateways/ISP-redundancy-and-DNS-records-for-Web-Servers...

Is it possible to exclude IP ranges or VPN or perhapes special suffixes from DNS proxy ???
Since all DNS requests passing an external interface are always catched by the gateway ... its often bad to get only the external DNS responses when the internal DNS addresses are required ...  (Split DNS behavior) 

since sk23630 describes a script,  perhaps there are commands for exclusions?

# Start of dbedit script
#####################
# Activate the DNS feature
modify network_objects corporate-gw firewall_setting::misp_dns_active true
#####################
# Add the first entry (www.example.com, 192.168.1.80, 172.16.2.80)
create misp_dns_entry tmp_name
modify owned tmp_name misp_host_name www.example.com
addelement owned tmp_name misp_dns_addresses 192.168.1.80
addelement owned tmp_name misp_dns_addresses 172.16.2.80
add_owned_remove_name network_objects corporate-gw firewall_setting:misp_dns_entries owned:tmp_name
delete owned tmp_name
#####################
# Add the second entry (ftp.example.com, 192.168.1.21, 172.16.2.21)
create misp_dns_entry tmp_name
modify owned tmp_name misp_host_name ftp.example.com
addelement owned tmp_name misp_dns_addresses 192.168.1.21
addelement owned tmp_name misp_dns_addresses 172.16.2.21
add_owned_remove_name network_objects corporate-gw firewall_setting:misp_dns_entries owned:tmp_name
delete owned tmp_name
#####################
# Update the object
update network_objects corporate-gw
quit
#####################
# end of dbedit script
#####################

 

 

 

maybe someone has an idea?

 

best regards
Thomas

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2021-09-22 08:41 AM

DNS Proxy follows the NAT rulebase.
So...if you want to create exclusions, you would configure them as NAT rules.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events