- CheckMates
- :
- Products
- :
- Quantum
- :
- SMB Gateways (Spark)
- :
- Re: DNS forwarding for internal domain
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DNS forwarding for internal domain
Hello CheckMates,
is it possible to configure a DNS forwarder on a SMB appliance for specific domains?
Meaning, clients have the appliance configured as DNS server, and the appliacne forwards requests for internal domain to the central DNS at the central site over VPN and all other requests are forwarded to DNS-server from provider.
Problem is that the remote sites can access internet via local appliance. Connectivity to the central site is done via VPN and all internal DNS-server are hosted only at the central site. If the VPN connection to central site is up everything is fine, but if the connection is lost the clients can't resolve DNS names.
Other vendors have a feature to do this DNS forwarding like described, but I missed this on Check Point appliance.
Another option would be to have a local DNS-server, but we don't want run any servers local.
All ideas are welcome
Wolfgang
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I can't do this by modifiying the config file also.
The way I did was adding a script at boot (/pfrm2.0/etc/userScript) which you can also call manually. The userScript (sk52520) is executed at the end of all startup routines, so this way I can check if the local domain name is empty at boot; if not, means that was previously assigned so needs to be set again:
#!/bin/sh
kill -9 $(cat /var/run/dnsmasq.pid)
DOMAIN=$(cat /etc/resolv.conf | grep search | awk {'print $2'})
if [ -z "$DOMAIN" ]; then
/pfrm2.0/bin/dnsmasq -y -x /var/run/dnsmasq.pid -h -H /var/hosts -c 0\
--server=/domain1.com/X.X.X.X\
--server=/domain1.com/Y.Y.Y.Y\
--server=/domain2.com/Z.Z.Z.Z\
--server=/domain2.com/W.W.W.W
else
/pfrm2.0/bin/dnsmasq -y -x /var/run/dnsmasq.pid -h -H /var/hosts -c 0 -E --domain=#\
--server=/domain1.com/X.X.X.X\
--server=/domain1.com/Y.Y.Y.Y\
--server=/domain2.com/Z.Z.Z.Z\
--server=/domain2.com/W.W.W.W
fi
unset DOMAIN
As you can see, it's possible to add more than one server to a specific domain. Replace X.X.X.X, Y.Y.Y.Y, Z.Z.Z.Z and W.W.W.W with DNS Server's IP.
On WEB GUI, DNS Servers configured should be your public/provider addresses for all requests other than domain1 and domain2 on the example.
Please note that when you modify the domain name or disable DNS Proxy, both operations in WEB GUI, the dnsmasq process is restarted; so you will need to execute the script manually again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Basically you have three possibilities, if you do not want a local DNS:
1. Configure the hosts as network objects and set the box to reolve those.
2. Fiddle with the /var/hosts file dfor the dnsmasq.
3. Fiddle with the /pfrm2.0/etc/dnsmasq.conf to enable forwarding for the internal domain there.
I just saw, that in the config file the strict option is set, so if you put the internal DNS first, it should work, as long as the VPN is up.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we have the same requirement to use specific DNS Servers for internal hosted domains and any other requests should be anwsered from the appliance configured DNS servers.
How did you finally solve this issue?
I tried to change dnsmasq.conf but this was not working.
Regards
Florian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I can't do this by modifiying the config file also.
The way I did was adding a script at boot (/pfrm2.0/etc/userScript) which you can also call manually. The userScript (sk52520) is executed at the end of all startup routines, so this way I can check if the local domain name is empty at boot; if not, means that was previously assigned so needs to be set again:
#!/bin/sh
kill -9 $(cat /var/run/dnsmasq.pid)
DOMAIN=$(cat /etc/resolv.conf | grep search | awk {'print $2'})
if [ -z "$DOMAIN" ]; then
/pfrm2.0/bin/dnsmasq -y -x /var/run/dnsmasq.pid -h -H /var/hosts -c 0\
--server=/domain1.com/X.X.X.X\
--server=/domain1.com/Y.Y.Y.Y\
--server=/domain2.com/Z.Z.Z.Z\
--server=/domain2.com/W.W.W.W
else
/pfrm2.0/bin/dnsmasq -y -x /var/run/dnsmasq.pid -h -H /var/hosts -c 0 -E --domain=#\
--server=/domain1.com/X.X.X.X\
--server=/domain1.com/Y.Y.Y.Y\
--server=/domain2.com/Z.Z.Z.Z\
--server=/domain2.com/W.W.W.W
fi
unset DOMAIN
As you can see, it's possible to add more than one server to a specific domain. Replace X.X.X.X, Y.Y.Y.Y, Z.Z.Z.Z and W.W.W.W with DNS Server's IP.
On WEB GUI, DNS Servers configured should be your public/provider addresses for all requests other than domain1 and domain2 on the example.
Please note that when you modify the domain name or disable DNS Proxy, both operations in WEB GUI, the dnsmasq process is restarted; so you will need to execute the script manually again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello!
wow that´s a cool thing, this is also working in Full GAiA Appliances? R80.30 ?
this would be great.
i would need this issue to send DNS request from different internal clients to specific DNS servers.
some customer installation have little to no DNS Server configured for SplitDNS and so on .. so this feaure would be great.
best regards
Thomas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
It's possible to configure the script to detect that dnsmasq died and restarted without "domain" parameters to execute the script automatically again without manual intervention?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Maybe you could create a new script to check the status of dnsmasq and add it as cronjob to check every minute if it's active, something like this. It all depends on which verifications you will apply to the new script. You can view the current ps output for dnsmasq, and proceed to compare vs the expected to run the userScript again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thank you for this script. It should help me because I have the same issue as described in this post. But there is only one issue. I cannot get the script to execute without errors. This is the output when I run it on the firewall:
./userScript: line 9: syntax error near unexpected token `else'
./userScript: line 9: `else'
I copied the script 1:1 from your post and adjusted the server entries to our situation. Is there anything that you can say about this error?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The forward slashes on their own line in the script should not be there and is very likely what is causing the error.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much for replying.
I removed the slashes but that wasn't the issue. There needed to be a semicolon and 'then' missing after the if statement. So it should be:
if [ -z "$DOMAIN" ]; then
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I fixed the script in the post so it's correct.