This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Wolfgang
Authority
Authority
‎2019-12-04 11:15 PM
Jump to solution

DNS forwarding for internal domain

Hello CheckMates,

is it possible to configure a DNS forwarder on a SMB appliance for specific domains?

Meaning, clients have the appliance configured as DNS server, and the appliacne forwards requests for internal domain to the central DNS at the central site over VPN and all other requests are forwarded to DNS-server from provider.

Problem is that the remote sites can access internet via local appliance. Connectivity to the central site is done via VPN and all internal DNS-server are hosted only at the central site. If the VPN connection to central site is up everything is fine, but if the connection is lost the clients can't resolve DNS names.

Other vendors have a feature to do this DNS forwarding like described, but I missed this on Check Point appliance. 

Another option would be to have a local DNS-server, but we don't want run any servers local.

All ideas are welcome

Wolfgang

0 Kudos
1 Solution

Accepted Solutions
KennyManrique
Advisor
‎2020-04-09 05:35 AM
In response to Us4r
Jump to solution

Hi,

I can't do this by modifiying the config file also.

The way I did was adding a script at boot (/pfrm2.0/etc/userScript) which you can also call manually. The userScript (sk52520) is executed at the end of all startup routines, so this way I can check if the local domain name is empty at boot; if not, means that was previously assigned so needs to be set again:

 

 

#!/bin/sh
kill -9 $(cat /var/run/dnsmasq.pid)
DOMAIN=$(cat /etc/resolv.conf | grep search | awk {'print $2'})
if [ -z "$DOMAIN" ]; then
/pfrm2.0/bin/dnsmasq -y -x /var/run/dnsmasq.pid -h -H /var/hosts -c 0\
 --server=/domain1.com/X.X.X.X\
 --server=/domain1.com/Y.Y.Y.Y\
 --server=/domain2.com/Z.Z.Z.Z\
 --server=/domain2.com/W.W.W.W

else
/pfrm2.0/bin/dnsmasq -y -x /var/run/dnsmasq.pid -h -H /var/hosts -c 0 -E --domain=#\
 --server=/domain1.com/X.X.X.X\
 --server=/domain1.com/Y.Y.Y.Y\
 --server=/domain2.com/Z.Z.Z.Z\
 --server=/domain2.com/W.W.W.W

fi
unset DOMAIN

 

 

As you can see, it's possible to add more than one server to a specific domain. Replace X.X.X.X, Y.Y.Y.Y, Z.Z.Z.Z and W.W.W.W with DNS Server's IP.

On WEB GUI, DNS Servers configured should be your public/provider addresses for all requests other than domain1 and domain2 on the example.

Please note that when you modify the domain name or disable DNS Proxy, both operations in WEB GUI, the dnsmasq process is restarted; so you will need to execute the script manually again.

View solution in original post

11 Replies
Steffen_Appel
Advisor
‎2019-12-05 02:07 AM
Jump to solution

Basically you have three possibilities, if you do not want a local DNS:

1. Configure the hosts as network objects and set the box to reolve those.

2. Fiddle with the /var/hosts file dfor the dnsmasq.

3. Fiddle with the /pfrm2.0/etc/dnsmasq.conf to enable forwarding for the internal domain there.

 

I just saw, that in the config file the strict option is set, so if you put the internal DNS first, it should work, as long as the VPN is up.

 

 

Us4r
Contributor
‎2020-04-09 04:28 AM
Jump to solution

Hello Wolfgang,

we have the same requirement to use specific DNS Servers for internal hosted domains and any other requests should be anwsered from the appliance configured DNS servers.

How did you finally solve this issue?

I tried to change dnsmasq.conf but this was not working.

Regards


Florian
0 Kudos
KennyManrique
Advisor
‎2020-04-09 05:35 AM
In response to Us4r
Jump to solution

Hi,

I can't do this by modifiying the config file also.

The way I did was adding a script at boot (/pfrm2.0/etc/userScript) which you can also call manually. The userScript (sk52520) is executed at the end of all startup routines, so this way I can check if the local domain name is empty at boot; if not, means that was previously assigned so needs to be set again:

 

 

#!/bin/sh
kill -9 $(cat /var/run/dnsmasq.pid)
DOMAIN=$(cat /etc/resolv.conf | grep search | awk {'print $2'})
if [ -z "$DOMAIN" ]; then
/pfrm2.0/bin/dnsmasq -y -x /var/run/dnsmasq.pid -h -H /var/hosts -c 0\
 --server=/domain1.com/X.X.X.X\
 --server=/domain1.com/Y.Y.Y.Y\
 --server=/domain2.com/Z.Z.Z.Z\
 --server=/domain2.com/W.W.W.W

else
/pfrm2.0/bin/dnsmasq -y -x /var/run/dnsmasq.pid -h -H /var/hosts -c 0 -E --domain=#\
 --server=/domain1.com/X.X.X.X\
 --server=/domain1.com/Y.Y.Y.Y\
 --server=/domain2.com/Z.Z.Z.Z\
 --server=/domain2.com/W.W.W.W

fi
unset DOMAIN

 

 

As you can see, it's possible to add more than one server to a specific domain. Replace X.X.X.X, Y.Y.Y.Y, Z.Z.Z.Z and W.W.W.W with DNS Server's IP.

On WEB GUI, DNS Servers configured should be your public/provider addresses for all requests other than domain1 and domain2 on the example.

Please note that when you modify the domain name or disable DNS Proxy, both operations in WEB GUI, the dnsmasq process is restarted; so you will need to execute the script manually again.

Us4r
Contributor
‎2020-04-14 12:45 AM
In response to KennyManrique
Jump to solution

Did work as you wrote Kenny. Thank you for that. Today I will try if userCheck - Script will be delted after a firmware upgrade and give a feedback after that.
Thomas_Eichelbu
Advisor
Advisor
‎2020-07-09 06:02 AM
In response to KennyManrique
Jump to solution

Hello!

 

wow that´s a cool thing, this is also working in Full GAiA Appliances? R80.30 ?
this would be great.


i would need this issue to send DNS request from different internal clients to specific DNS servers.
some customer installation have little to no DNS Server configured for SplitDNS and so on .. so this feaure would be great.

best regards

Thomas

 

0 Kudos
jgarcias
Participant
‎2022-03-03 08:16 AM
In response to KennyManrique
Jump to solution

Hello,

 

It's possible to configure the script to detect that dnsmasq died and restarted without "domain" parameters to execute the script automatically again without manual intervention?

 

Thanks.

0 Kudos
KennyManrique
Advisor
‎2022-03-07 10:21 AM
In response to jgarcias
Jump to solution

Hi,

Maybe you could create a new script to check the status of dnsmasq and add it as cronjob to check every minute if it's active, something like this. It all depends on which verifications you will apply to the new script. You can view the current ps output for dnsmasq, and proceed to compare vs the expected to run the userScript again.

 

0 Kudos
demirdag
Participant
‎2024-09-05 06:17 AM
In response to KennyManrique
Jump to solution

Hello,

 

Thank you for this script. It should help me because I have the same issue as described in this post. But there is only one issue. I cannot get the script to execute without errors. This is the output when I run it on the firewall:

./userScript: line 9: syntax error near unexpected token `else'
./userScript: line 9: `else'

 I copied the script 1:1 from your post and adjusted the server entries to our situation. Is there anything that you can say about this error?

0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-05 02:25 PM
In response to demirdag
Jump to solution

The forward slashes on their own line in the script should not be there and is very likely what is causing the error.

0 Kudos
demirdag
Participant
‎2024-09-06 12:09 AM
In response to PhoneBoy
Jump to solution

Thank you very much for replying. 

I removed the slashes but that wasn't the issue. There needed to be a semicolon and 'then' missing after the if statement. So it should be:

if [ -z "$DOMAIN" ]; then

 

PhoneBoy
Admin
Admin
‎2024-09-16 02:28 PM
In response to demirdag
Jump to solution

I fixed the script in the post so it's correct.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events