Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Legend
Legend
Jump to solution

DNS question

Hey everyone,

Sorry if this may sound like a dumb/stupid/silly question (or all 3 together lol), but I had customer ask me something that no one ever asked me in all my years with CP. So, they wanted to know if Check Point has their own DNS servers like Fortinet does that customers could use? Im pretty sure the answer is no, as I had never seen or heard of any, but wanted to be 100% sure.

Below is what Im referring to on Fortigates.

Best and thanks as always for the help.

Andy

Screenshot_1.png

2 Solutions

Accepted Solutions
the_rock
Legend
Legend

As I suspected, the answer is no, SE also confirmed the same.

Andy

View solution in original post

John-Haynes
Participant

Would love to see CP come out with a product like "Meta IP" again. 

 

As far as free DNS services that provide security, Quad9 is still the best.  Recently saw some C2 Beacons trying to be accessed.  Quad9 was the only provider already blocking the domains.

View solution in original post

12 Replies
the_rock
Legend
Legend

As I suspected, the answer is no, SE also confirmed the same.

Andy

PhoneBoy
Admin
Admin

Officially, no.
However, dnsmasq has been unofficially on Gaia OS for quite some time.
I even wrote something about it a decade ago (including how to use it): https://phoneboy.org/2014/09/02/fun-with-check-point-dynamic-ip-gateways-in-r77-dot-20-with-gaia/
In the R82 EA, I noticed it’s actually running.
Not sure what it is officially used for as I haven’t dug into it.

the_rock
Legend
Legend

Funny you gave that link, as I was reading it before making the post and even customer told me about it 🙂

Will test in in R82 lab.

Andy

 

the_rock
Legend
Legend

@PhoneBoy 

Ran the commands, but not working, definitely missing something brother...any idea? 🙂

Andy

 

[Expert@R82-TEST-FW:0]# dbset process:dnsmasq t
[Expert@R82-TEST-FW:0]# dbset process:dnsmasq:path /usr/sbin
[Expert@R82-TEST-FW:0]# dbset process:dnsmasq:runlevel 3
[Expert@R82-TEST-FW:0]# dbset :save
[Expert@R82-TEST-FW:0]# dnsmasq

dnsmasq: failed to create listening socket for 127.0.0.1: Address already in use
[Expert@R82-TEST-FW:0]# fw ver -k
This is Check Point's software version R82 - Build 760
kernel: R82 - Build 735
[Expert@R82-TEST-FW:0]#

PhoneBoy
Admin
Admin

Like I said, dnsmasq is already running on R82 (no need to enable it).
Version string says is 2.76.
The configuration file looks like this:

#  This file was AUTOMATICALLY GENERATED
#  Generated by /bin/dnsmasq_xlate on Tue Jun 18 13:44:47 2024
# 
#  DO NOT EDIT
# 
bind-interfaces
cache-size=1000
no-poll
listen-address=127.0.0.1
server=/#/x.y.z.w
conf-dir=/etc/dnsmasq.d

This tells me the following:

  • It's basically a caching DNS server (x.y.z.w appears to be the DNS server configured in the Gaia OS)
  • Additional configuration can be bootstrapped from files added in /etc/dnsmasq.d

Whether this works/is supported is a separate question.

the_rock
Legend
Legend

1( What file is that?

2) should not dnsmasq command give something?

Andy

PhoneBoy
Admin
Admin

The configuration file is /etc/dnsmasq.conf
The error message you receive is because dnsmasq is already running (as stated previously).

the_rock
Legend
Legend

K, gotcha...this is what it looks like in my lab, appears how I set it up.

Andy

[Expert@CP-EXL-1-s01-01:0]# more dnsmasq.conf
# This file was AUTOMATICALLY GENERATED
# Generated by /bin/dnsmasq_xlate on Fri Jul 12 15:27:11 2024
#
# DO NOT EDIT
#
bind-interfaces
cache-size=1000
no-poll
listen-address=127.0.0.1
server=/#/8.8.8.8
server=/#/8.8.4.4
server=/#/2.2.2.2
conf-dir=/etc/dnsmasq.d
[Expert@CP-EXL-1-s01-01:0]#

John-Haynes
Participant

Would love to see CP come out with a product like "Meta IP" again. 

 

As far as free DNS services that provide security, Quad9 is still the best.  Recently saw some C2 Beacons trying to be accessed.  Quad9 was the only provider already blocking the domains.

the_rock
Legend
Legend

Quad 9? Never heard of it, but reading about it, seems like its fantastic, awesome reviews...will let the customer know.

THANK YOU!!

Andy

Lesley
Leader Leader
Leader

Never seen or read anything regarding DNS provided by Check Point. 

There is ns1.checkpoint.com but they deny my DNS request 😉

C:\Users\lesle>nslookup therock.com ns1.checkpoint.com
Server: dns1.zonelabs.com
Address: 209.87.222.140

*** dns1.zonelabs.com can't find therock.com: Query refused

C:\Users\lesle>nslookup ns1.checkpoint.com
Server: gpon.net
Address: fe80::1

Non-authoritative answer:
Name: ns1.checkpoint.com
Address: 209.87.222.140

-------
If you like this post please give a thumbs up(kudo)! 🙂
the_rock
Legend
Legend

John,

Just wanted to thank you again for providing this. I cant believe how great these dns servers are, its truly amazing. Compared to google DNS, there is literally no comparison...simply outstanding.

I mean, I even tested it at home and though I have 1.5 GB download abd 1 GB upload fiber through my ISP, when I use quad 9 dns servers, it seems way faster then when uding google DNS.

Thanks again mate!!! ✌️

Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events