This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Maik
Advisor
‎2019-06-05 12:09 AM

Different DNS server per VS

Hello guys,

I'm pretty new when it Comes to VSX deployments and the related VS configuration. I have a quite Basic setup with one VSX cluster consisting out of two physical devices. On top of the VSX cluster we have two VS running (VS #1 and #2). Each VS has two dedicated interfaces. So currently there is not virtual switch or router in place, as there was no need for VS-to-VS communication or shared interfaces.

Now to my issue:

Basically I just want each VS to use a different DNS server, as per default the DNS config (as well as some other GAiA paramaters) are getting synched from VS0. The issue is, that once a change in clish of VS2 is made (regarding DNS) this is also getting synched to all the other VS (including VS0). So basically I assume that there is not way to have a different dns server entries for each VS...? I found a SK that mentions this problem and offers a solution - but this is only related for the remote access vpn blade and can't be used by any other feature. Without the possibility of configuring one or multiple different dns Servers for each VS I do not see a way to get any updates or the proxy feature working, as the gateway itself needs to send dns queries here.

It is also not wanted to have a shared dns in this environment as each VS should work completely independent from the other. So even if I adjust the routing so that VS2 can reach the DNS of VS0 no solution is met.

I read the VSX admin guide and could not find any word regarding this issue - so it could be the case that I overlooked something. Hopefully someone can point me in the right direction. 🙂

Regards,

Maik

13 Replies
Wolfgang
Authority
Authority
‎2019-06-05 01:37 AM

Maik,

the system is working as expected, by design the DNS configuration is shared beetween all VSs, see DNS configuration of a single VS affects all other VSs too

You can change the DNS-server for the MOB-blade only following All Virtual Systems on VSX Gateway / VSX cluster with enabled Mobile Access blade are trying to reac...

Wolfgang

Maik
Advisor
‎2019-06-05 01:44 AM
In response to Wolfgang

Hello Wolfgang,

 

Thanks for your reply. Yes, I my guess was that it works by design like I described.

I am just wondering if there is any way to do it differently? I mean, why should I keep everything seperate from each VS but not the DNS settings (to mention one example, which is related to this thread). Does this mean that I need to specify several DNS servers so that all are getting synched while only one is applicable per vs? I have the requirement to separate DNS strictly - thus not allowing VS2 to access the same DNS as VS1 or VS0.

 

The only "solution" I can think of is specifying three dns servers, that are getting synched to all VS in my Environment:

- Primary [for VS0]

- secondary [for VS1]

- tertiary [for VS2]

But this would lead to failing DNS requests each time VS1 or VS2 try to do a name resolution… so this is not really a solution but just a very dirty Workaround (that would also eliminate redunancy per VS dns, as I would have only one dns Server per vs).

Wolfgang
Authority
Authority
‎2019-06-05 03:04 AM
In response to Maik

Maik,

I understand your problem and you are not alone. But it is how it works.

If you have requirements  to separate the DNS, then VSX maybee is not a solution or you have to accept the limitation.

Maybe some of the other VSX guys here has an idea or maybe with R80.30 is something new ?

Wolfgang

Maik
Advisor
‎2019-06-11 08:07 AM
In response to Wolfgang

*push*

Some words from the community would be great - maybe someone already had this issue in the past and solved it via some way?

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2019-06-11 08:37 AM
In response to Maik

NAT or BIND Views might help as work arounds.

CCSM R77/R80/ELITE
0 Kudos
Enyi_Ajoku
Collaborator
‎2019-11-19 08:52 AM
In response to Chris_Atkinson

Hi Chris,
Can you talk a lot more about how to do this or do you have an sk or documentation i can reference to.
Thank You

0 Kudos
Enyi_Ajoku
Collaborator
‎2019-11-19 08:50 AM
In response to Maik

Hi Maik,

Were you able to get this resolve in your infrastructure or a workaround. I am in the same boat and just noticed the same thing when i tried to setup dns.

Thanks

 

 

0 Kudos
Maik
Advisor
‎2019-11-19 10:46 PM
In response to Enyi_Ajoku

Hey Enyi,
I received a custom hotfix from Check Point which allowed me to configure a dns server for each VS. However I definitely do not recommend doing this - unless there are not any other options. What is your reason for dns queries from the virtual systems? Maybe there are different ways to accomplish this. In my example I had to migrate a quite old setup which used domain objects to VS R80.20. Domain objects for example require dns queries from the gateway itself - however nearly the same can be accomplished via URL filtering/application control - if licensed. With that you no longer require the gateway to do dns lookups.
0 Kudos
Enyi_Ajoku
Collaborator
‎2020-03-02 07:44 AM
In response to Maik

 "Domain objects for example require dns queries", this is one example. Also per business requirement all company assets should have the ability to be queried by there hostname. 

Similar to your environment i have 3 VS which separates my infrastructure domain. In essence there are three dns servers respectively.

 

0 Kudos
Tommy_Forrest
Advisor
‎2022-02-03 01:28 PM
In response to Enyi_Ajoku

Did anything ever come of this?

I have a use case where I need a VS to be completely isolated from the corporate network to support guest wireless.  This network is completely self contained and has dedicated DNS servers.

I need to either be able to have separate DNS servers per VS or the ability for a given VS to pipe DNS queries over a management plane to VS0 so it can do the DNS lookup work.

0 Kudos
Wolfgang
Authority
Authority
‎2022-02-03 01:40 PM
In response to Tommy_Forrest

@Tommy_Forrest @with R81 and up it‘s possible to configure DNS per VS

Configuring DNS Servers on a Virtual System  „set dns mode per-vs“

0 Kudos
Tommy_Forrest
Advisor
‎2022-02-03 01:52 PM
In response to Wolfgang

Hot diggite dog!  You just made my day.

 

Set it up and it's working.

 

For those playing along with the home game, enabling per-vs mode will wipe out the DNS configs in your other VSen so be sure to go back and reset them if you turn this on.

Henrik_Noerr1
Advisor
‎2022-06-09 05:08 AM
In response to Tommy_Forrest

Hey @Tommy_Forrest and others.

To be clear - what happens when I enable this feature?

Will each existing VS no longer have DNS servers set, until I define it locally on the VS?

If they copy over the 'old' global dns server - will that now be reached from the local interface on an existing VS? 

/Henrik 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top