Create a Post
Showing results for 
Search instead for 
Did you mean: 

DNS forwarding for internal domain

Hello CheckMates,

is it possible to configure a DNS forwarder on a SMB appliance for specific domains?

Meaning, clients have the appliance configured as DNS server, and the appliacne forwards requests for internal domain to the central DNS at the central site over VPN and all other requests are forwarded to DNS-server from provider.

Problem is that the remote sites can access internet via local appliance. Connectivity to the central site is done via VPN and all internal DNS-server are hosted only at the central site. If the VPN connection to central site is up everything is fine, but if the connection is lost the clients can't resolve DNS names.

Other vendors have a feature to do this DNS forwarding like described, but I missed this on Check Point appliance. 

Another option would be to have a local DNS-server, but we don't want run any servers local.

All ideas are welcome


0 Kudos
5 Replies

Basically you have three possibilities, if you do not want a local DNS:

1. Configure the hosts as network objects and set the box to reolve those.

2. Fiddle with the /var/hosts file dfor the dnsmasq.

3. Fiddle with the /pfrm2.0/etc/dnsmasq.conf to enable forwarding for the internal domain there.


I just saw, that in the config file the strict option is set, so if you put the internal DNS first, it should work, as long as the VPN is up.




Hello Wolfgang,

we have the same requirement to use specific DNS Servers for internal hosted domains and any other requests should be anwsered from the appliance configured DNS servers.

How did you finally solve this issue?

I tried to change dnsmasq.conf but this was not working.


0 Kudos


I can't do this by modifiying the config file also.

The way I did was adding a script at boot (/pfrm2.0/etc/userScript) which you can also call manually. The userScript (sk52520) is executed at the end of all startup routines, so this way I can check if the local domain name is empty at boot; if not, means that was previously assigned so needs to be set again:


kill -9 $(cat /var/run/
DOMAIN=$(cat /etc/resolv.conf | grep search | awk {'print $2'})
if [ -z "$DOMAIN" ]
/pfrm2.0/bin/dnsmasq -y -x /var/run/ -h -H /var/hosts -c 0\
/pfrm2.0/bin/dnsmasq -y -x /var/run/ -h -H /var/hosts -c 0 -E --domain=#\
unset DOMAIN


As you can see, it's possible to add more than one server to a specific domain. Replace X.X.X.X, Y.Y.Y.Y, Z.Z.Z.Z and W.W.W.W with DNS Server's IP.

On WEB GUI, DNS Servers configured should be your public/provider addresses for all requests other than domain1 and domain2 on the example.

Please note that when you modify the domain name or disable DNS Proxy, both operations in WEB GUI, the dnsmasq process is restarted; so you will need to execute the script manually again.


Did work as you wrote Kenny. Thank you for that. Today I will try if userCheck - Script will be delted after a firmware upgrade and give a feedback after that.



wow that´s a cool thing, this is also working in Full GAiA Appliances? R80.30 ?
this would be great.

i would need this issue to send DNS request from different internal clients to specific DNS servers.
some customer installation have little to no DNS Server configured for SplitDNS and so on .. so this feaure would be great.

best regards



0 Kudos