I'm Meital Natanson, R&D Group Manager at Check Point.
My group is the R&D responsible for Domain objects.
In order to improve non-FQDN domains matching and updatable objects matching, we introduced ‘DNS Passive Learning’ feature in R80.40 and R80.30 JHF T196 and above (sk161612).
This means that the GW “listens” to DNS traffic that pass through the GW which is destined to predefined DNS servers in order to learn non-FQDN domains and their IP resolving for better and accurate matching.
The feature is enabled only when DNS servers are properly configured on the GW and non-FQDN objects (or specific updatable objects) are used in the policy.
What you described above is because with this feature enabled, we keep the DNS resolved IP and its additional records for the queried domain.
This is the current behavior and we plan to publish a change in the upcoming weeks.
Meanwhile, you can disable the feature by either changing the policy by not using non-FQDN (if this is an option) or disabling it on the GW with the following commands:
- Create the $FWDIR/boot/modules/fwkern.conf file (if it does not already exit):
[Expert@HostName]# touch $FWDIR/boot/modules/fwkern.conf
- Edit the $FWDIR/boot/modules/fwkern.conf file in vi editor:
[Expert@HostName]# vi $FWDIR/boot/modules/fwkern.conf
- Add the following line (spaces and comments are not allowed):
- Save the changes and exit from Vi editor.
- Check the contents of the $FWDIR/boot/modules/fwkern.conf file:
[Expert@HostName]# cat $FWDIR/boot/modules/fwkern.conf
- Reboot the Security Gateway.
- Verify that the new value was set:
[Expert@HostName]# fw ctl get int dns_data_src_enabled
Do the same for the second member as well.