This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ibondoni86
Explorer
‎2023-09-01 08:59 AM
Jump to solution

Domain based rules not working properly after gateway DNSs change

Hi all, hope you are doing fine! 

I´m having a problem using domain based rules (non FQDN) after I needed to change the DNS servers on my infrastructure. The problem is that client PC updated the DNS server to the same DNSs configured at the Gateway, so they should be getting the same IP information for the domains.

As we changed the DNSs to use a local DNS servers, some domain´s name resolution changed and are not the same than the previous configured DNSs at the gateway. 

The "domains_tool -d something.com" command output is still showing the previous resolved IPs, even when the gateway itself is resolving the new ones. As the client is using the same DNSs than the gateway the domain based rule is not matching the traffic as it has a different IP information for some domains than the client PC is trying to reach. 

I waited for more than 24 hrs now to see if there was some cached information, but the system seems to continue to use the older DNS server to retrieve the information showed at the domains_tool output and I assume, the information using for traffic matching. 

Does someone know a way to reload the whatever service is running to populate this table without rebooting the gateway or restarting all services?

An example of what can I see for anydesk.com domain. 

domains_tool output:

---------------------------------------------------------------------------------------------------
| Given Domain name: anydesk.com FQDN: no |
---------------------------------------------------------------------------------------------------
| IP address | sub-domain |
---------------------------------------------------------------------------------------------------
| 13.32.121.107 | no |
| 13.32.121.101 | no |
| 13.32.121.17 | no |
| 13.32.121.7 | no |
---------------------------------------------------------------------------------------------------
Total of 4 IP addresses found

Nslookup output from the gateway:

Non-authoritative answer:
Name: anydesk.com
Address: 99.84.208.102
Name: anydesk.com
Address: 99.84.208.32
Name: anydesk.com
Address: 99.84.208.12
Name: anydesk.com
Address: 99.84.208.48

Thanks in advance! 

0 Kudos
1 Solution

Accepted Solutions
ibondoni86
Explorer
‎2023-09-01 01:43 PM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy, thanks much for your reply! 

I have found the answer to this like 5 minutes ago.

The answer seems to be on sk120633:

"Changes in Gaia DNS servers are implemented only after you run cpstop/cpstart or reboot the appliance. If not, the DNS servers that were configured at startup will continue to be used."

Also found some information about DNS passive learning, but I did not like that much on a security perspective, so I will go ahead and try to reboot services when possible. 

Thanks again! 

View solution in original post

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2023-09-01 01:28 PM
Jump to solution

Recommend debugging wsdnsd: https://support.checkpoint.com/results/sk/sk106443

 

0 Kudos
ibondoni86
Explorer
‎2023-09-01 01:43 PM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy, thanks much for your reply! 

I have found the answer to this like 5 minutes ago.

The answer seems to be on sk120633:

"Changes in Gaia DNS servers are implemented only after you run cpstop/cpstart or reboot the appliance. If not, the DNS servers that were configured at startup will continue to be used."

Also found some information about DNS passive learning, but I did not like that much on a security perspective, so I will go ahead and try to reboot services when possible. 

Thanks again! 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events