This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
chrominek
Contributor
a week ago
Jump to solution

2M DNS queries per day via vpn for about 1k fqdn - 1900+ each

Hi!

No user activity, no security blades, only "baby vpn". All over the clock, regardless of the user activity, over the vpn are sent dns queries. Quantum Spark 1570 Appliance  R81.10.10 (996002993)

For the last 24 hours it looks like this:

... | stats dc(query) as distinct_query_count -> 923

qnsq.png

...

dnsq2.png

Counts for each FQDN are similar, around 1900. FQDNs are mixed.

Looks like not related to any user traffic (tcpdump not showing any activity nor any dns queries on the internal interfaces).

Looks like autogenerated by gateway itself - almost 2M queries/day.

Some fgdns are "grepable" in prfm2.0, some not.

Why at all, why this FQDN-s (923 for the last 24 h), why every 45s (24*3600/1900 =~45) ?

 

BR

Andrzej

 

 

 

0 Kudos
2 Solutions

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
Tuesday
Jump to solution

I have a workaround for you that had been tested at a customers.

To achieve this, you can add the following commands into userScript file:

# cpwd_admin stop -name WSDNSD
# cpwd_admin detach -name WSDNSD

No DNS queries will be sent when this is set - just test it on-the-fly using the commands on CLI!

This WSDNSD behaviour was internally considered a bug by R&D (WSDNS is used as DNS resolver when the appliance is used as a HTTP/HTTPS proxy and WSDNSD makes requests for smartAccel, but it does the same requests even if both HTTP/HTTPS proxy and smartAccel is not used/disabled),  but i am not sure if this has already been fixed in current firmware...

The case in which this information has been collected was resolved by using internal objects in WebGUI - if you define FQDN objects as object something.com 8.8.8.8, no DNS request for this FQDN will be sent, but it will make more sense to disable WSDNSD than to define 935 internal objects here...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

(1)
G_W_Albrecht
Legend Legend
Legend
Wednesday
In response to chrominek
Jump to solution

No, this is a 15x0x applance = SMB: https://support.checkpoint.com/results/sk/sk52520

SMBs use the userScript file to call custome commands during startup, so this is the place for the two lines !

Give a Kudo if you like my post...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

12 Replies
PhoneBoy
Admin
Admin
a week ago
Jump to solution

What does your access policy look like?
If you're using any FQDN objects or Updatable Objects, we need to resolve those DNS domains to IP addresses, thus the gateway will need to issue DNS requests.

0 Kudos
chrominek
Contributor
a week ago
In response to PhoneBoy
Jump to solution


Hello,

Thx for response. The policy is simple - everything into the tunnel ( 2 rules - one for private networks and the second for all others ) and reverse - only selected, private subnets (mostly mgmt). IoT is disabled, dynamic objects are not used - an old days classic policy ;-). Anyway, if using over fibers - no big problem. But over wireless networks 2M dns queries a day ( dns + ESP is about about 50 bytes ) uses  100 MB/day for nothing and 3GB per month.  There is nothing dynamic in this vpn gateway. How to disable this DNS queries? Maybe somebody knows?

 

BR

Andrzej

0 Kudos
PhoneBoy
Admin
Admin
a week ago
In response to chrominek
Jump to solution

The only other things I can think of that MIGHT trigger DNS queries are Fast Accel (disabled by default) and SD-WAN (enabled by default).
Both of these are under Access Control > Firewall.
In any case, your best bet is to engage TAC so we can investigate.

0 Kudos
Lesley
Leader Leader
Leader
a week ago
Jump to solution

Is the gateway maybe set as dns server for the clients? Maybe on accident? What if you run ipconfig on a few to verify this

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Dafna
Employee
Employee
a week ago
In response to Lesley
Jump to solution

Can you please try to turn off smart accel ?

0 Kudos
chrominek
Contributor
a week ago
In response to Dafna
Jump to solution

I will try fwaccel off ... 

0 Kudos
Dafna
Employee
Employee
Saturday
In response to chrominek
Jump to solution

Hi please try to turn off smart accel via webUI (under Access Policy-->Fast Accel)

0 Kudos
chrominek
Contributor
a week ago
In response to Lesley
Jump to solution

No. No dns queries from any client,  Every 45 seconds each of the 935 FQDNs is beeing resolved (gateway sends requests to the DNS server, asking for it) 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
Tuesday
Jump to solution

I have a workaround for you that had been tested at a customers.

To achieve this, you can add the following commands into userScript file:

# cpwd_admin stop -name WSDNSD
# cpwd_admin detach -name WSDNSD

No DNS queries will be sent when this is set - just test it on-the-fly using the commands on CLI!

This WSDNSD behaviour was internally considered a bug by R&D (WSDNS is used as DNS resolver when the appliance is used as a HTTP/HTTPS proxy and WSDNSD makes requests for smartAccel, but it does the same requests even if both HTTP/HTTPS proxy and smartAccel is not used/disabled),  but i am not sure if this has already been fixed in current firmware...

The case in which this information has been collected was resolved by using internal objects in WebGUI - if you define FQDN objects as object something.com 8.8.8.8, no DNS request for this FQDN will be sent, but it will make more sense to disable WSDNSD than to define 935 internal objects here...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
(1)
chrominek
Contributor
Wednesday
In response to G_W_Albrecht
Jump to solution

Thank you very much!

WSDNSD works immediately! Talking about a userscript you think to schedule it into the  SystemManagement/Scheduler? I guess it should be executed by example 5 minutes after boot, until the fixed firmware release/upgrade?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
Wednesday
In response to chrominek
Jump to solution

No, this is a 15x0x applance = SMB: https://support.checkpoint.com/results/sk/sk52520

SMBs use the userScript file to call custome commands during startup, so this is the place for the two lines !

Give a Kudo if you like my post...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
G_W_Albrecht
Legend Legend
Legend
Thursday
In response to G_W_Albrecht
Jump to solution

I would rather not call this a solution but a workaround only ! I had been rather upset that R&D did not want to fix it.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events