This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
timothyjwitt
Explorer
‎2023-12-19 01:26 PM

Excessive DNS Queries from Gateways

Hello,
We started to see an excessive amount of DNS queries coming from our gateways seemingly looking up FQDN objects.  This started 12/17/2023 at 1am and we see it on multiple gateways at multiple sites with different DNS servers in Gaia config.
When I say excessive, one site 'normal' operation prior to the issue had 92k (10MB) dns queries from the gateway per hour and after this past Sunday it's at 17Million (1.8GB) per hour.
No changes to the environments since 12/14/2023, we are currently in a code freeze.
We are on R81.10 JHF 95.
We have ~580 FQDN objects in policies.
Policy install didn't fix, nor did failover but a reboot seems to have resolved it.
Wondering if anyone else has seen anything strange like this.
TAC has been engaged.
Thanks,
Tim

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2023-12-19 06:08 PM

The DNS cache is limited to 25000 entries.
With that many FQDN objects, it's possible you're exceeding this limit and you may need to adjust it: https://support.checkpoint.com/results/sk/sk157493
Otherwise, I suggest involving the TAC.

0 Kudos
timothyjwitt
Explorer
‎2023-12-20 07:40 AM
In response to PhoneBoy

The fw tab -t dns_reverse_cache_tbl command output is completely different on my GW's but if I'm reading that correctly the size (limit) is 28672 and the number of entries is 4114.  However, the limit in table.def is set at 25000.
-------- dns_reverse_cache_tbl --------
htab_bl, id 35, size 28672, attributes: expire, no links, #vals 4114 #slinks 0

I'm stuck on this occurring across our GW fleet at a specific date and time, seems like some sort of automatic update?
I've got a case open with TAC.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-12-20 08:18 AM
In response to timothyjwitt

If you've hit the high water mark of 25,000, I believe it will show in the output of fw tab -t dns_reverse_cache_tbl -s.
That would at least tell us if my theory is correct.

0 Kudos
timothyjwitt
Explorer
‎2023-12-20 08:23 AM
In response to PhoneBoy

Looks like peak was 12725
fw tab -t dns_reverse_cache_tbl -s
HOST NAME ID #VALS #PEAK #SLINKS
localhost dns_reverse_cache_tbl 38 12725 0 0

0 Kudos
timothyjwitt
Explorer
‎2023-12-20 09:01 AM
In response to timothyjwitt

What appears to be happening is that every time an FQDN rule gets hit, the gateway is looking up the IP rather than using DNS cache.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-12-20 09:45 AM
In response to timothyjwitt

You could try below

https://support.checkpoint.com/results/sk/sk32224

Andy

Best,
Andy
0 Kudos
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events