This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dt7
Contributor
‎2023-07-19 07:11 AM

Issues with split DNS on Endpoint Security VPN / Harmony Endpoint

Hi everyone,

I am trying to understand how to configure split DNS when using the Harmony Endpoint Security VPN client (basically same as Endpoint Security VPN client). Without split DNS at the moment, all the DNS queries (for internal + external/public domains) are all sent to my corporate internal DNS, and I would like for this to be the case only for the selected domains managed internally.

First, I find some parts of the documentation on the topic a bit confusing (https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/T...), I understand it is necessary to be done when using SecuRemote VPN client, but when using Mobile Access VPN or Endpoint Security VPN clients, is it already enabled or we still need to enable it + use SecuRemoteDNS objects as per mentioned in the documentation?

The following parts confuse me in the documentation:

- "Split DNS is automatically enabled"

- "Best practice is:

  • For Endpoint Security VPN and Check Point Mobile for Windows, use Office mode."

I am already using office mode in my case and the VPN itself is working fine (using ADFS/SAML auth).

I still went ahead and followed the documentation to enable split DNS on my gateway and created the SecuRemoteDNS objects with the few domain suffixes I want to resolve internally. However, the results are not really what I expected and it does not seem to be working from what I can observe and tests. When split DNS is enabled, the DNS resolution on my the clients (Windows10 machine) take like 10s, basically the amount of time for the DNS requested to time-out 5 times on my internal DNS, and when I try to resolve external domains/public domains (out of the SecuRemoteDNS domain scopes I defined) using nslookup, it still tries to contact my internal DNS servers and times-out, not sure if this is supposed to be by design? I find it really strange. The whole experience becomes not usable for users as the DNS resolution for external domains takes forever (10s like I said) after enabling split DNS, it corresponds to what is describe here: https://woshub.com/dns-resolution-via-vpn-not-working-windows/

It can be workaround by disabling SMHNR in Windows to have the resolution work faster (seems to be a Windows bug), but I find it hard to believe I need to go to such extend to have split DNS working on all my users?

Am I missing something?

I thought that the VPN client would handle the split DNS part through routing of the DNS queries properly done depending on the domain requested:

- If domain is internal and managed (as defined in SecuRemoteDNS) --> send to internal DNS via VPN

- If domain is external, just resolve locally with the internet ISP DNS on the other adapter

But this is totally not what I am observing on my tests, which is very surprising... And I am not sure how to resolve this. I also did a packet capture on my test machine and I can see that DNS requests for external domains are still sent to my internal DNS via VPN, which makes no sense to me.

 

I guess my questions are:

1) Do you need to enable Split DNS as described in the documentation also for enterprise VPN clients (including Endpoint Security VPN)?

2) Has anybody else enabled split DNS using those VPN clients successfully and can share how? Am I approaching this incorrectly?

Thanks in advance for reading me and for your help.

 

My environment info and versions:

- Management R81.10 (latest recommended take)

- Gateway (VPN target) R81.10 Take 95

- Endpoint Security E87.30 client (latest version I think)

- Windows 10 22H2 devices (for the tests)

0 Kudos
12 Replies
PhoneBoy
Admin
Admin
‎2023-07-19 10:24 AM

Split DNS is not enabled by default for non-SecuRemote clients.
Refer to: https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN... 

0 Kudos
dt7
Contributor
‎2023-07-19 06:36 PM
In response to PhoneBoy

Hi @PhoneBoy,

Thanks for your reply, I have checked this documentation before as well and I have already enabled it before as follows:

- Enabling split_dns_enabled in the file $FWDIR/conf/trac_client_1.ttm on each member of my VPN gateway cluster

- Then manually setting split_dns_enabled parameter to true on my machine's VPN client to enable it and test for now

I have attached two screenshots to show the settings I've set for reference.

This is how I tested the feature and observed the issues I mentioned in my original post above.

Preview file
25 KB
Preview file
2 KB
0 Kudos
the_rock
Legend
Legend
‎2023-07-19 06:45 PM
In response to dt7

One of my colleagues did this for a customer couple of years back, so I can verify with him tomorrow...IF memory serves me well, I believe in your first screenshot, default value should be true, not client decide at the bottom, but will confirm.

0 Kudos
dt7
Contributor
‎2023-07-19 08:19 PM
In response to the_rock

Thanks for your inputs, I would be interested to hear the feedback from your colleague indeed. Regarding the setting, I know it needs to be set to "true", I have set it to "client_decide" for now in order to enable it manually on my VPN client on a test machine first, so that it does not affect other users that currently are using the VPN. I've tried anyway to set it to "true" on the gateway just to give it a go, and it's the same results.

The only way to make it usable after enabling split dns is to alter the Windows DNS settings by disabling SMHNR via the two registries below:

Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient" -Name DisableSmartNameResolution -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" -Name DisableParallelAandAAAA -Value 1 -Type DWord

This makes the resolution work faster. Otherwise the DNS resolution for external domains take 10s (unacceptable form a user experience point of view) as the requests are sent to all DNS servers knowns on all adapters, and since it times-out on the internal DNS (due to split DNS I think?), it causes the delay. This feature from Windows seems to be really bad, contributing to DNS leak as well..

0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-20 05:34 AM
In response to dt7

Couple things:

  • Did you push policy after making these changes?
  • Did you delete/re-add the site afterwords (ensures the updates are pushed to the client)?

If so, I'd consult with TAC as this appears to be unexpected behavior (or at least behavior inconsistent with the documentation).
https://help.checkpoint.com 

0 Kudos
dt7
Contributor
‎2023-07-20 06:05 AM
In response to PhoneBoy

Yes i've pushed the policy on the gateway affected by the changes after any modification on the $FWDIR/conf/trac_client_1.ttm file.

Regarding your second point, I haven't tried to delete/recreate the site, is that necessary for every change of this sort? Looks unmanageable when you are in production and users are already using the VPN client in case you need to make any change in the future. I will try it still on a test machine to see if I get any difference in the results, thanks for the suggestion.

I have raised a ticket with TAC, but so far the answer I have gotten is just that "Split DNS is not compatible with SMHNR", that's about it. However, I find that behavior of the split DNS feature does not make sense. I have also run some packet captures on both my network adapters (VPN adapter and main adapter connected to the internet with ISP DNS settings), and I still see external domain requests being sent to my internal DNS via the VPN adapter, when it shouldn't theoritically. The only thing is that those request to the internal DNS time-out, as if there are not processed due to the SecuRemoteDNS configuration, but that's it. If it is really like this by design, it's really not optimized and not sure how I can use it in production. Somemore, the only way to make it somewhat usable right now after enabling it is by disabling SMHNR.

Any feedback from people that have actually implemented successfully would be really helpful.

 

0 Kudos
the_rock
Legend
Legend
‎2023-07-20 06:10 AM
In response to dt7

Keep in mind that sometimes deleting/re-creating the site, as inconvenient as it is, is needed, as that would let vpn client fetch all the updated info from the gateway.

Personally, I would verify all this with TAC for an official answer.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-07-20 03:33 PM
In response to dt7

Hey...sorry for the confusion, I asked my colleague, but he said we never implemented this for the customer. I mixed it up with something else, apologies.

0 Kudos
dt7
Contributor
‎2023-07-20 07:52 PM
In response to the_rock

Ok 🙁, thanks for checking anyway!

0 Kudos
hcur
Participant
Participant
‎2024-05-18 11:31 PM
In response to dt7

Hi Did you manage to resolve this and get it working?

0 Kudos
dt7
Contributor
‎2024-05-22 07:55 PM
In response to hcur

Hi @hcur, I've tried many different ways but I could not find any way to make Split DNS work as expected in a manageable and scalable way.

It is not great, but no choice..

0 Kudos
hcur
Participant
Participant
‎2024-05-22 09:58 PM
In response to dt7

Hi @dt7 , Thanks for the reply.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events