We are seeing exactly the same issue, but need to identify the infected client that is presumably using the FW as DNS proxy. I have triend packet capture and cannot see the initial query, only the query from the FW to DNS server. I've created a spoofed zone on our DNS server and A records for the suspect queries to try and trap the client, but it's not connecting to the spoofed IP. CP logs do not show the original client query. Any ideas how I might find the culprit? Can you turn on logging for the DNS proxy service?

Thank you for your replies and let me try and elaborate. Logs on our internal DNS server show DNS A record queries for known C&C FQDNs. The logs on the server (and packet capture taken on server) both show the source IP of the query being the  Checkpoint interbal Cluster IP. We need to identify the client(s) trying to resolve these C&C FQDNs.

Now clearly since the source IP of the query is the Checkpoint VIP, a device (not on our internal LAN) is either querying the internal DNS server directly and the traffic is being NATd to the Cluster internal VIP (this can't be the case as not shown in FW logs, or tcpdump taken on Checkpoint). Or perhaps the client(s) are performing DNS query against one of the FW interface IPs and the Checkpoint DNS proxy daemon is then querying the internal DNS server - but if this is the case, once again neither the client -> FW DNS query is logged, nor is the FW -> internal DNS query. Neither are showing in a tcpdump.

So I can't post any logs here as nothing is logged for these suspicious DNS queries yet they are either originating from, or being proxied by, the Checkpoint. Logging of Implied Rules is also enabled.

Mystery!

Might be worth double-checking that DNS Trap is enabled?  With it enabled, doing a log query for traffic where the destination is your trap IP (default is 62.0.58.94) should show the offending client IP?

Thank you - this isn't enabled, but I've enabled the same functionality by creating zones and bogus A records for many of the C&C FQDNs on our internal DNS server. Unfortunately even when a bogus IP is returned, the infected client(s) are not connecting  to the IP. I really need a way to either log the original DNS query or capture the traffic - it just seems this is not possible for traffic to the Checkpoint "self"

Update - I originally thought the queries were from clients using one of the FW IPs as DNS server and although DNS Proxy is enabled by default, our Security Policy doesn't permit DNS queries against the FW interfaces.

I really need a way to locate the source of the DNS queries. The query is originating from the internal Cluster VIP and yet there is absolutely no log for these connections. Any help would be most appreciated.

Traffic originating from the gateway itself is typically allowed (and not logged) through implied rules...unless you've turned that off.

Hi Steve,

is there anyway to prove that its because of the FQDN object but nothing else?

Hi in our case it was obvious because thre was one rule blocking access the the FQDNs that were being resolved by the internal DNS server. Perhaps you could remove the domain object(s) from the policy and see if the DNS server is still being queried for it/them.