Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Mahesh_Patil
Participant
Jump to solution

DNS NAT issue (DNS Doctoring)

We have enabled DNS NAT with help of sk34295. 

After enabling DNS NAT, firewall doing DNS NAT for all communications.

We do't want DNS NAT for all communications. example 

source interface having 5 subnets  and out of which required DNS NAT for four subnets and for one subnet we do not want DNS NAT.

Also in four subnets two subnets should having one IP address and another two subets should have another IP address of destination server.

Above scenario is not working. DNS NAT check 1st NAT rule and do the DNS NAT. 

As per my observation, as per SK DNS NAT do not check source IP address while doing DNS NAT.

 

Can some one help me on this.

 

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

Hi @Mahesh_Patil 

If you set fw_dns_xlation to true, it is globally valid for the DNS service.

The feature has a global on/off switch, in the $FWDIR/conf/objects_5_0.C file on Security Management Server / Domain Management Server, called fw_dns_xlation (by default set to false). When its value is set to true, the regular NAT rulebase is used to determine how to change the DNS packets.

The regular NAT rules used to translate the internal servers will suffice. There is no need to define special NAT rules in addition to the regular ones defined.

I would use a manual Hide NAT rule for the outgoing DNS traffic.

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

7 Replies
HeikoAnkenbrand
Champion Champion
Champion

Hi @Mahesh_Patil 

If you set fw_dns_xlation to true, it is globally valid for the DNS service.

The feature has a global on/off switch, in the $FWDIR/conf/objects_5_0.C file on Security Management Server / Domain Management Server, called fw_dns_xlation (by default set to false). When its value is set to true, the regular NAT rulebase is used to determine how to change the DNS packets.

The regular NAT rules used to translate the internal servers will suffice. There is no need to define special NAT rules in addition to the regular ones defined.

I would use a manual Hide NAT rule for the outgoing DNS traffic.

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Mahesh_Patil
Participant

Yes. But requirement is more. Let me give you example : -

Source subnet 172.16.1.0/24, 172.16.2.0/24, 172.16.3.0/24, 172.16.4.0/24 and 172.16.5.0/24 and destination real IP is 10.0.0.1

1. Now 172.16.1.0/24 and 172.16.2.0/24 should access 192.168.1.1 (NAT with 10.0.0.1)

2. Now 172.16.3.0/24 and 172.16.4.0/24 should access 192.168.2.2 (NAT with 10.0.0.1)

3. Now 172.16.5.0/24 should access to 10.0.0.1 (without NAT)

We required NAT DNS for point number 1 and 2.  We do not required DNS NAT for point number 3.

Now 1st problem DNS NAT do NAT of all DNS request which is impacting to point number 3 connectivity.

2nd problem is in NAT order 1st NAT is 192.168.1.1 with 10.0.0.1. DNS NAT do not check source IP while doing  DNS NAT due to which point number two connectivity get impacted as DNS NAT resolved/give IP address 192.168.1.1 in place of 192.168.2.2 in DNS query.

 

How we can achieve this scenario.

 

 

0 Kudos
Wolfgang
Authority
Authority

@Mahesh_Patil 

maybee a little network diagram with a sample should help.

"DNS NAT" does no NAT on the packets itselfs. "DNS NAT" replaces IP-addresses in a DNS-response, which are initiated from a client to a DNS server.

This traffic has to traverse the gateway, meaning the gateway has to see the request and the response of the DNS-query. 

The "DNS NAT" changes traffic only regarding UDP/53, nothing else. As you describe and I understand you can now see NAT on all connections ?

Have a look at the limitations 2. and 3. from sk34295, it's important. The source object of your NAT rules for "DNS NAT" is regardless and you have to define different NAT-types (static or manual) for your specific object types (network or host).

Wolfgang

 

Mahesh_Patil
Participant

Attached diagram.

 

Mahesh

0 Kudos
Wolfgang
Authority
Authority

@Mahesh_Patil 

snip from the limitations:

"DNS traffic (DNS Requests) will be translated based on the Destination address in the NAT rules without considering the Source of the traffic"

Wolfgang

0 Kudos
Mahesh_Patil
Participant

Yes. As per my understanding due to check only destination address for DNS NAT point number two and three scenario not working.

For point number two and three when DNS request coming from source,  firewall do DNS NAT on 1st NAT statement. and due to receive wrong IP in DNS query by source, source unable to connect to destination.

Can we have solution on this? Or need to do development on this. 

PhoneBoy
Admin
Admin

Basically, if the traffic is subject to NAT at all (by destination only), it is subject to DNS NAT if you have it enabled.
In which case, it sounds like this is operating as designed and what you’re wanting to do would be an RFE.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events