- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: DNS question
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DNS question
Hey everyone,
Sorry if this may sound like a dumb/stupid/silly question (or all 3 together lol), but I had customer ask me something that no one ever asked me in all my years with CP. So, they wanted to know if Check Point has their own DNS servers like Fortinet does that customers could use? Im pretty sure the answer is no, as I had never seen or heard of any, but wanted to be 100% sure.
Below is what Im referring to on Fortigates.
Best and thanks as always for the help.
Andy
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Would love to see CP come out with a product like "Meta IP" again.
As far as free DNS services that provide security, Quad9 is still the best. Recently saw some C2 Beacons trying to be accessed. Quad9 was the only provider already blocking the domains.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I suspected, the answer is no, SE also confirmed the same.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Officially, no.
However, dnsmasq has been unofficially on Gaia OS for quite some time.
I even wrote something about it a decade ago (including how to use it): https://phoneboy.org/2014/09/02/fun-with-check-point-dynamic-ip-gateways-in-r77-dot-20-with-gaia/
In the R82 EA, I noticed it’s actually running.
Not sure what it is officially used for as I haven’t dug into it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Funny you gave that link, as I was reading it before making the post and even customer told me about it 🙂
Will test in in R82 lab.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ran the commands, but not working, definitely missing something brother...any idea? 🙂
Andy
[Expert@R82-TEST-FW:0]# dbset process:dnsmasq t
[Expert@R82-TEST-FW:0]# dbset process:dnsmasq:path /usr/sbin
[Expert@R82-TEST-FW:0]# dbset process:dnsmasq:runlevel 3
[Expert@R82-TEST-FW:0]# dbset :save
[Expert@R82-TEST-FW:0]# dnsmasq
dnsmasq: failed to create listening socket for 127.0.0.1: Address already in use
[Expert@R82-TEST-FW:0]# fw ver -k
This is Check Point's software version R82 - Build 760
kernel: R82 - Build 735
[Expert@R82-TEST-FW:0]#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like I said, dnsmasq is already running on R82 (no need to enable it).
Version string says is 2.76.
The configuration file looks like this:
# This file was AUTOMATICALLY GENERATED
# Generated by /bin/dnsmasq_xlate on Tue Jun 18 13:44:47 2024
#
# DO NOT EDIT
#
bind-interfaces
cache-size=1000
no-poll
listen-address=127.0.0.1
server=/#/x.y.z.w
conf-dir=/etc/dnsmasq.d
This tells me the following:
- It's basically a caching DNS server (x.y.z.w appears to be the DNS server configured in the Gaia OS)
- Additional configuration can be bootstrapped from files added in /etc/dnsmasq.d
Whether this works/is supported is a separate question.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1( What file is that?
2) should not dnsmasq command give something?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The configuration file is /etc/dnsmasq.conf
The error message you receive is because dnsmasq is already running (as stated previously).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
K, gotcha...this is what it looks like in my lab, appears how I set it up.
Andy
[Expert@CP-EXL-1-s01-01:0]# more dnsmasq.conf
# This file was AUTOMATICALLY GENERATED
# Generated by /bin/dnsmasq_xlate on Fri Jul 12 15:27:11 2024
#
# DO NOT EDIT
#
bind-interfaces
cache-size=1000
no-poll
listen-address=127.0.0.1
server=/#/8.8.8.8
server=/#/8.8.4.4
server=/#/2.2.2.2
conf-dir=/etc/dnsmasq.d
[Expert@CP-EXL-1-s01-01:0]#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Would love to see CP come out with a product like "Meta IP" again.
As far as free DNS services that provide security, Quad9 is still the best. Recently saw some C2 Beacons trying to be accessed. Quad9 was the only provider already blocking the domains.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quad 9? Never heard of it, but reading about it, seems like its fantastic, awesome reviews...will let the customer know.
THANK YOU!!
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Never seen or read anything regarding DNS provided by Check Point.
There is ns1.checkpoint.com but they deny my DNS request 😉
C:\Users\lesle>nslookup therock.com ns1.checkpoint.com
Server: dns1.zonelabs.com
Address: 209.87.222.140
*** dns1.zonelabs.com can't find therock.com: Query refused
C:\Users\lesle>nslookup ns1.checkpoint.com
Server: gpon.net
Address: fe80::1
Non-authoritative answer:
Name: ns1.checkpoint.com
Address: 209.87.222.140
If you like this post please give a thumbs up(kudo)! 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
John,
Just wanted to thank you again for providing this. I cant believe how great these dns servers are, its truly amazing. Compared to google DNS, there is literally no comparison...simply outstanding.
I mean, I even tested it at home and though I have 1.5 GB download abd 1 GB upload fiber through my ISP, when I use quad 9 dns servers, it seems way faster then when uding google DNS.
Thanks again mate!!! ✌️
Andy