Re: Domain resolving error. Check DNS configuratio...

barakh · ‎2020-06-14

hello

we started receiving the following alerts:

Domain resolving error. Check DNS configuration on the gateway (0)

I found only one sk about the topic sk120558 But it doesn't seem to be related to the issue.

we have cluster of Check Point 23500 appliance

the version is R80.30 jumbo take 155

we run nslookup from the gw and its look like fine

# nslookup google.co.il
Server: x.x.x.x
Address: x.x.x.x#53

we also run dig command from gateway

#dig google.com

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-25.P1.11.cp993000013 <<>> google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31783
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 26 IN A 172.217.171.238

;; Query time: 1 msec
;; SERVER: x.x.x.x#53(IPv4 address of dns server)
;; WHEN: Sun Jun 14 18:37:35 2020
;; MSG SIZE rcvd: 44

I would like for advice on what to do to stop receiving these alerts

_Val_ · ‎2020-06-15

You masked this too well. It is hard to see which layer is complaining. 🙂

Please clarify if:

1. you are using any of domain objects

2. using proxy on your GW

barakh · ‎2020-06-15

we are using updatable objects not domain objects

No proxy is used

johnnyringo · ‎2021-04-26

I just encountered this. We are using Domain objects, and they were working fine until last week, when I had to undo Management vs. Data Plane Separation in order to get syslogging working via the Mgmt interface.

The root cause was the Network Management -> Topology settings. It appears that whichever interface is being egressed to reach the DNS server must have "Leads to -> Network defined by Routes" in order to reach the DNS server at the data plane level.

When doing a ping, dig, or nslookup via CLI, the Topology settings are not applicable, which explains why those tests work.

aboo008 · ‎2021-04-29

I am having the same issue. A while back working with CP TAC they had asked me to do a get interfaces to resolve a separate issue but since that time onwards we had some wierd issues. I was told to update our version now 80.10 with latest Jumbo Fix.

Anyone found an exact fix to this problem. Top comment seems to be on point but don' understand what the solution was. Thanks for any help.

Daniel_Kavan · ‎2022-08-04

I am using a domain object actually, zoom.us on this gw and this is the only gw having this issue. I guess I'll just continue to ignore the error/alert, since we are using that object.

RE: Domain resolving error. Check DNS configuration on the gateway.

Version: R81.10 JHF55

Kaspars_Zibarts · ‎2022-08-04

One thing you should check is that GW can resolve DNS names using both UDP and TCP. Some larger DNS responses that cannot be pushed in single UDP packet will trigger fallback to TCP protocol. Depending on the FW setup TCP lookups might be dropped. And that will result in error above

Daniel_Kavan · ‎2022-08-07

Thanks for the reply. It is interesting.

nc -z -v 1.1.1.1 53 responds

nc -z -v -u 1.1.1.1 53 = no response.

Other systems can get to DNS (UDP) for some reason the firewall can't. I'm getting out, nothing coming back. Looking into it...

Kaspars_Zibarts · ‎2022-08-07

I would probably put little more effort into it and try actual packet capture for DNS lookups from gateway itself as error itself indicates that gateway is failing to get DNS responses for FQDN object lookups

Are you a member of CheckMates?

Domain resolving error. Check DNS configuration on the gateway (0)