This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
chrominek
Contributor
‎2024-12-11 02:06 AM
Jump to solution

2M DNS queries per day via vpn for about 1k fqdn - 1900+ each

Hi!

No user activity, no security blades, only "baby vpn". All over the clock, regardless of the user activity, over the vpn are sent dns queries. Quantum Spark 1570 Appliance  R81.10.10 (996002993)

For the last 24 hours it looks like this:

... | stats dc(query) as distinct_query_count -> 923

qnsq.png

...

dnsq2.png

Counts for each FQDN are similar, around 1900. FQDNs are mixed.

Looks like not related to any user traffic (tcpdump not showing any activity nor any dns queries on the internal interfaces).

Looks like autogenerated by gateway itself - almost 2M queries/day.

Some fgdns are "grepable" in prfm2.0, some not.

Why at all, why this FQDN-s (923 for the last 24 h), why every 45s (24*3600/1900 =~45) ?

 

BR

Andrzej

 

 

 

0 Kudos
2 Solutions

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2024-12-17 05:46 AM
Jump to solution

I have a workaround for you that had been tested at a customers.

To achieve this, you can add the following commands into userScript file:

# cpwd_admin stop -name WSDNSD
# cpwd_admin detach -name WSDNSD

No DNS queries will be sent when this is set - just test it on-the-fly using the commands on CLI!

This WSDNSD behaviour was internally considered a bug by R&D (WSDNS is used as DNS resolver when the appliance is used as a HTTP/HTTPS proxy and WSDNSD makes requests for smartAccel, but it does the same requests even if both HTTP/HTTPS proxy and smartAccel is not used/disabled),  but i am not sure if this has already been fixed in current firmware...

The case in which this information has been collected was resolved by using internal objects in WebGUI - if you define FQDN objects as object something.com 8.8.8.8, no DNS request for this FQDN will be sent, but it will make more sense to disable WSDNSD than to define 935 internal objects here...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

G_W_Albrecht
Legend Legend
Legend
‎2024-12-18 12:48 AM
In response to chrominek
Jump to solution

No, this is a 15x0x applance = SMB: https://support.checkpoint.com/results/sk/sk52520

SMBs use the userScript file to call custome commands during startup, so this is the place for the two lines !

Give a Kudo if you like my post...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

15 Replies
PhoneBoy
Admin
Admin
‎2024-12-11 07:28 AM
Jump to solution

What does your access policy look like?
If you're using any FQDN objects or Updatable Objects, we need to resolve those DNS domains to IP addresses, thus the gateway will need to issue DNS requests.

0 Kudos
chrominek
Contributor
‎2024-12-12 02:33 AM
In response to PhoneBoy
Jump to solution


Hello,

Thx for response. The policy is simple - everything into the tunnel ( 2 rules - one for private networks and the second for all others ) and reverse - only selected, private subnets (mostly mgmt). IoT is disabled, dynamic objects are not used - an old days classic policy ;-). Anyway, if using over fibers - no big problem. But over wireless networks 2M dns queries a day ( dns + ESP is about about 50 bytes ) uses  100 MB/day for nothing and 3GB per month.  There is nothing dynamic in this vpn gateway. How to disable this DNS queries? Maybe somebody knows?

 

BR

Andrzej

0 Kudos
PhoneBoy
Admin
Admin
‎2024-12-12 07:21 AM
In response to chrominek
Jump to solution

The only other things I can think of that MIGHT trigger DNS queries are Fast Accel (disabled by default) and SD-WAN (enabled by default).
Both of these are under Access Control > Firewall.
In any case, your best bet is to engage TAC so we can investigate.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2025-01-07 02:28 AM
In response to PhoneBoy
Jump to solution

As i wrote above, R&D called this a bug but was not willing to fix that for the firmware showing the issue...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Lesley
Mentor Mentor
Mentor
‎2024-12-12 03:01 AM
Jump to solution

Is the gateway maybe set as dns server for the clients? Maybe on accident? What if you run ipconfig on a few to verify this

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Dafna
Employee
Employee
‎2024-12-12 03:21 AM
In response to Lesley
Jump to solution

Can you please try to turn off smart accel ?

0 Kudos
chrominek
Contributor
‎2024-12-12 03:53 AM
In response to Dafna
Jump to solution

I will try fwaccel off ... 

0 Kudos
Dafna
Employee
Employee
‎2024-12-14 10:46 PM
In response to chrominek
Jump to solution

Hi please try to turn off smart accel via webUI (under Access Policy-->Fast Accel)

0 Kudos
chrominek
Contributor
‎2024-12-12 03:23 AM
In response to Lesley
Jump to solution

No. No dns queries from any client,  Every 45 seconds each of the 935 FQDNs is beeing resolved (gateway sends requests to the DNS server, asking for it) 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2024-12-17 05:46 AM
Jump to solution

I have a workaround for you that had been tested at a customers.

To achieve this, you can add the following commands into userScript file:

# cpwd_admin stop -name WSDNSD
# cpwd_admin detach -name WSDNSD

No DNS queries will be sent when this is set - just test it on-the-fly using the commands on CLI!

This WSDNSD behaviour was internally considered a bug by R&D (WSDNS is used as DNS resolver when the appliance is used as a HTTP/HTTPS proxy and WSDNSD makes requests for smartAccel, but it does the same requests even if both HTTP/HTTPS proxy and smartAccel is not used/disabled),  but i am not sure if this has already been fixed in current firmware...

The case in which this information has been collected was resolved by using internal objects in WebGUI - if you define FQDN objects as object something.com 8.8.8.8, no DNS request for this FQDN will be sent, but it will make more sense to disable WSDNSD than to define 935 internal objects here...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
chrominek
Contributor
‎2024-12-18 12:10 AM
In response to G_W_Albrecht
Jump to solution

Thank you very much!

WSDNSD works immediately! Talking about a userscript you think to schedule it into the  SystemManagement/Scheduler? I guess it should be executed by example 5 minutes after boot, until the fixed firmware release/upgrade?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2024-12-18 12:48 AM
In response to chrominek
Jump to solution

No, this is a 15x0x applance = SMB: https://support.checkpoint.com/results/sk/sk52520

SMBs use the userScript file to call custome commands during startup, so this is the place for the two lines !

Give a Kudo if you like my post...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
G_W_Albrecht
Legend Legend
Legend
‎2024-12-19 12:08 AM
In response to G_W_Albrecht
Jump to solution

I would rather not call this a solution but a workaround only ! I had been rather upset that R&D did not want to fix it.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
chrominek
Contributor
‎2025-01-07 02:42 AM
In response to G_W_Albrecht
Jump to solution

Works perfect, but after any GUI changes the WSDNSD service is restarted . Cron -  each 15 minutes stop this service?  Is it possible to disable it permanently? Or the scheduler is the last hope? From GUI or to try cli?

https://blog.spikefishsolutions.com/2016/04/enabling-cron-scheduling-services-on.html

https://community.checkpoint.com/t5/SMB-Gateways-Spark/Perform-scheduled-scripted-tasks-on-SMB-devic...

https://community.checkpoint.com/t5/Management/Job-Scheduler-to-stop-and-start-the-wsdnsd-process-on...

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2025-01-07 02:55 AM
In response to chrominek
Jump to solution

Strange - if WSDNSD service is detached from Watchdog at boot time, i would not expect this to happen!

Other alternative suggested by R&D was

watch -n 30 "$FWDIR/bin/cpwd_admin stop -name WSDNSD > /dev/null" &

 This also should go into userScript and kills WSDNSD every 30s...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top