This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mahesh_Patil
Participant
‎2020-08-10 10:17 PM
Jump to solution

DNS NAT issue (DNS Doctoring)

We have enabled DNS NAT with help of sk34295. 

After enabling DNS NAT, firewall doing DNS NAT for all communications.

We do't want DNS NAT for all communications. example 

source interface having 5 subnets  and out of which required DNS NAT for four subnets and for one subnet we do not want DNS NAT.

Also in four subnets two subnets should having one IP address and another two subets should have another IP address of destination server.

Above scenario is not working. DNS NAT check 1st NAT rule and do the DNS NAT. 

As per my observation, as per SK DNS NAT do not check source IP address while doing DNS NAT.

 

Can some one help me on this.

 

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion
‎2020-08-11 01:28 AM
Jump to solution

Hi @Mahesh_Patil 

If you set fw_dns_xlation to true, it is globally valid for the DNS service.

The feature has a global on/off switch, in the $FWDIR/conf/objects_5_0.C file on Security Management Server / Domain Management Server, called fw_dns_xlation (by default set to false). When its value is set to true, the regular NAT rulebase is used to determine how to change the DNS packets.

The regular NAT rules used to translate the internal servers will suffice. There is no need to define special NAT rules in addition to the regular ones defined.

I would use a manual Hide NAT rule for the outgoing DNS traffic.

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

7 Replies
HeikoAnkenbrand
Champion Champion
Champion
‎2020-08-11 01:28 AM
Jump to solution

Hi @Mahesh_Patil 

If you set fw_dns_xlation to true, it is globally valid for the DNS service.

The feature has a global on/off switch, in the $FWDIR/conf/objects_5_0.C file on Security Management Server / Domain Management Server, called fw_dns_xlation (by default set to false). When its value is set to true, the regular NAT rulebase is used to determine how to change the DNS packets.

The regular NAT rules used to translate the internal servers will suffice. There is no need to define special NAT rules in addition to the regular ones defined.

I would use a manual Hide NAT rule for the outgoing DNS traffic.

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Mahesh_Patil
Participant
‎2020-08-11 02:15 AM
In response to HeikoAnkenbrand
Jump to solution

Yes. But requirement is more. Let me give you example : -

Source subnet 172.16.1.0/24, 172.16.2.0/24, 172.16.3.0/24, 172.16.4.0/24 and 172.16.5.0/24 and destination real IP is 10.0.0.1

1. Now 172.16.1.0/24 and 172.16.2.0/24 should access 192.168.1.1 (NAT with 10.0.0.1)

2. Now 172.16.3.0/24 and 172.16.4.0/24 should access 192.168.2.2 (NAT with 10.0.0.1)

3. Now 172.16.5.0/24 should access to 10.0.0.1 (without NAT)

We required NAT DNS for point number 1 and 2.  We do not required DNS NAT for point number 3.

Now 1st problem DNS NAT do NAT of all DNS request which is impacting to point number 3 connectivity.

2nd problem is in NAT order 1st NAT is 192.168.1.1 with 10.0.0.1. DNS NAT do not check source IP while doing  DNS NAT due to which point number two connectivity get impacted as DNS NAT resolved/give IP address 192.168.1.1 in place of 192.168.2.2 in DNS query.

 

How we can achieve this scenario.

 

 

0 Kudos
Wolfgang
Authority
Authority
‎2020-08-11 06:49 AM
In response to Mahesh_Patil
Jump to solution

@Mahesh_Patil 

maybee a little network diagram with a sample should help.

"DNS NAT" does no NAT on the packets itselfs. "DNS NAT" replaces IP-addresses in a DNS-response, which are initiated from a client to a DNS server.

This traffic has to traverse the gateway, meaning the gateway has to see the request and the response of the DNS-query. 

The "DNS NAT" changes traffic only regarding UDP/53, nothing else. As you describe and I understand you can now see NAT on all connections ?

Have a look at the limitations 2. and 3. from sk34295, it's important. The source object of your NAT rules for "DNS NAT" is regardless and you have to define different NAT-types (static or manual) for your specific object types (network or host).

Wolfgang

 

Mahesh_Patil
Participant
‎2020-08-11 10:47 PM
In response to Wolfgang
Jump to solution

Attached diagram.

 

Mahesh

example diagram.jpg
Preview file
66 KB
0 Kudos
Wolfgang
Authority
Authority
‎2020-08-13 01:34 AM
In response to Mahesh_Patil
Jump to solution

@Mahesh_Patil 

snip from the limitations:

"DNS traffic (DNS Requests) will be translated based on the Destination address in the NAT rules without considering the Source of the traffic"

Wolfgang

0 Kudos
Mahesh_Patil
Participant
‎2020-08-13 02:20 AM
In response to Wolfgang
Jump to solution

Yes. As per my understanding due to check only destination address for DNS NAT point number two and three scenario not working.

For point number two and three when DNS request coming from source,  firewall do DNS NAT on 1st NAT statement. and due to receive wrong IP in DNS query by source, source unable to connect to destination.

Can we have solution on this? Or need to do development on this. 

PhoneBoy
Admin
Admin
‎2020-08-14 11:56 AM
In response to Mahesh_Patil
Jump to solution

Basically, if the traffic is subject to NAT at all (by destination only), it is subject to DNS NAT if you have it enabled.
In which case, it sounds like this is operating as designed and what you’re wanting to do would be an RFE.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top