Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Wolfgang
Authority
Authority
Jump to solution

DNS forwarding for internal domain

Hello CheckMates,

is it possible to configure a DNS forwarder on a SMB appliance for specific domains?

Meaning, clients have the appliance configured as DNS server, and the appliacne forwards requests for internal domain to the central DNS at the central site over VPN and all other requests are forwarded to DNS-server from provider.

Problem is that the remote sites can access internet via local appliance. Connectivity to the central site is done via VPN and all internal DNS-server are hosted only at the central site. If the VPN connection to central site is up everything is fine, but if the connection is lost the clients can't resolve DNS names.

Other vendors have a feature to do this DNS forwarding like described, but I missed this on Check Point appliance. 

Another option would be to have a local DNS-server, but we don't want run any servers local.

All ideas are welcome

Wolfgang

1 Solution

Accepted Solutions
KennyManrique
Advisor

Hi,

I can't do this by modifiying the config file also.

The way I did was adding a script at boot (/pfrm2.0/etc/userScript) which you can also call manually. The userScript (sk52520) is executed at the end of all startup routines, so this way I can check if the local domain name is empty at boot; if not, means that was previously assigned so needs to be set again:

 

 

#!/bin/sh
kill -9 $(cat /var/run/dnsmasq.pid)
DOMAIN=$(cat /etc/resolv.conf | grep search | awk {'print $2'})
if [ -z "$DOMAIN" ]; then
/pfrm2.0/bin/dnsmasq -y -x /var/run/dnsmasq.pid -h -H /var/hosts -c 0\
 --server=/domain1.com/X.X.X.X\
 --server=/domain1.com/Y.Y.Y.Y\
 --server=/domain2.com/Z.Z.Z.Z\
 --server=/domain2.com/W.W.W.W

else
/pfrm2.0/bin/dnsmasq -y -x /var/run/dnsmasq.pid -h -H /var/hosts -c 0 -E --domain=#\
 --server=/domain1.com/X.X.X.X\
 --server=/domain1.com/Y.Y.Y.Y\
 --server=/domain2.com/Z.Z.Z.Z\
 --server=/domain2.com/W.W.W.W

fi
unset DOMAIN

 

 

As you can see, it's possible to add more than one server to a specific domain. Replace X.X.X.X, Y.Y.Y.Y, Z.Z.Z.Z and W.W.W.W with DNS Server's IP.

On WEB GUI, DNS Servers configured should be your public/provider addresses for all requests other than domain1 and domain2 on the example.

Please note that when you modify the domain name or disable DNS Proxy, both operations in WEB GUI, the dnsmasq process is restarted; so you will need to execute the script manually again.

View solution in original post

11 Replies
Steffen_Appel
Advisor

Basically you have three possibilities, if you do not want a local DNS:

1. Configure the hosts as network objects and set the box to reolve those.

2. Fiddle with the /var/hosts file dfor the dnsmasq.

3. Fiddle with the /pfrm2.0/etc/dnsmasq.conf to enable forwarding for the internal domain there.

 

I just saw, that in the config file the strict option is set, so if you put the internal DNS first, it should work, as long as the VPN is up.

 

 

Us4r
Contributor
Hello Wolfgang,

we have the same requirement to use specific DNS Servers for internal hosted domains and any other requests should be anwsered from the appliance configured DNS servers.

How did you finally solve this issue?

I tried to change dnsmasq.conf but this was not working.

Regards


Florian
KennyManrique
Advisor

Hi,

I can't do this by modifiying the config file also.

The way I did was adding a script at boot (/pfrm2.0/etc/userScript) which you can also call manually. The userScript (sk52520) is executed at the end of all startup routines, so this way I can check if the local domain name is empty at boot; if not, means that was previously assigned so needs to be set again:

 

 

#!/bin/sh
kill -9 $(cat /var/run/dnsmasq.pid)
DOMAIN=$(cat /etc/resolv.conf | grep search | awk {'print $2'})
if [ -z "$DOMAIN" ]; then
/pfrm2.0/bin/dnsmasq -y -x /var/run/dnsmasq.pid -h -H /var/hosts -c 0\
 --server=/domain1.com/X.X.X.X\
 --server=/domain1.com/Y.Y.Y.Y\
 --server=/domain2.com/Z.Z.Z.Z\
 --server=/domain2.com/W.W.W.W

else
/pfrm2.0/bin/dnsmasq -y -x /var/run/dnsmasq.pid -h -H /var/hosts -c 0 -E --domain=#\
 --server=/domain1.com/X.X.X.X\
 --server=/domain1.com/Y.Y.Y.Y\
 --server=/domain2.com/Z.Z.Z.Z\
 --server=/domain2.com/W.W.W.W

fi
unset DOMAIN

 

 

As you can see, it's possible to add more than one server to a specific domain. Replace X.X.X.X, Y.Y.Y.Y, Z.Z.Z.Z and W.W.W.W with DNS Server's IP.

On WEB GUI, DNS Servers configured should be your public/provider addresses for all requests other than domain1 and domain2 on the example.

Please note that when you modify the domain name or disable DNS Proxy, both operations in WEB GUI, the dnsmasq process is restarted; so you will need to execute the script manually again.

Us4r
Contributor
Did work as you wrote Kenny. Thank you for that. Today I will try if userCheck - Script will be delted after a firmware upgrade and give a feedback after that.
Thomas_Eichelbu
Advisor
Advisor

Hello!

 

wow that´s a cool thing, this is also working in Full GAiA Appliances? R80.30 ?
this would be great.


i would need this issue to send DNS request from different internal clients to specific DNS servers.
some customer installation have little to no DNS Server configured for SplitDNS and so on .. so this feaure would be great.

best regards

Thomas

 

jgarcias
Participant

Hello,

 

It's possible to configure the script to detect that dnsmasq died and restarted without "domain" parameters to execute the script automatically again without manual intervention?

 

Thanks.

KennyManrique
Advisor

Hi,

Maybe you could create a new script to check the status of dnsmasq and add it as cronjob to check every minute if it's active, something like this. It all depends on which verifications you will apply to the new script. You can view the current ps output for dnsmasq, and proceed to compare vs the expected to run the userScript again.

 

demirdag
Participant

Hello,

 

Thank you for this script. It should help me because I have the same issue as described in this post. But there is only one issue. I cannot get the script to execute without errors. This is the output when I run it on the firewall:

./userScript: line 9: syntax error near unexpected token `else'
./userScript: line 9: `else'

 I copied the script 1:1 from your post and adjusted the server entries to our situation. Is there anything that you can say about this error?

PhoneBoy
Admin
Admin

The forward slashes on their own line in the script should not be there and is very likely what is causing the error.

demirdag
Participant

Thank you very much for replying. 

I removed the slashes but that wasn't the issue. There needed to be a semicolon and 'then' missing after the if statement. So it should be:

if [ -z "$DOMAIN" ]; then

 

PhoneBoy
Admin
Admin

I fixed the script in the post so it's correct.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events