- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hello all,
I have a question regarding ISP redundancy and DNS records for Web Servers behind my firewall.
Lets say I have a R80.30 Cluster XL with one ISP. I have a reverse proxy in my dmz which services stuff like webmail and some webservers. Each service has a unique public IP which is resolvable via A record for my domain from my externally configured DNS Servers. DNS looks like follows:
mydomain.com. 1800 IN NS ns1.dnsprovider.com
mydomain.com. 1800 IN NS ns2.dnsprovider.com
webmail.mydomain.com 1800 IN A 1.1.1.1 (sorry cloudflare, this is just an example)
webserver.mydomain.com 1800 IN A 1.1.1.2 (see above)
If I add a second ISP, how can I make sure that in case of failure of ISP 1 my web-services are still reachable? The documentation for ISP redundancy and DNS proxy is not clear to me.
Do I have to point my domains name servers to my two public ip addresses of my firewalls now so that the DNS proxy can resolve the correct external IP during failover (so change ns1.dnsprovider.com to the public external IP of my firewall)?
What happens for non-A-records? Do I have to configure the external DNS provider for the firewall to forward the traffic to?
Thanks for your help 😉
The solution with „DNS proxy“ for ISP redundancy does only work if you host your DNS internal. Queries from external for your DNS names are intercepted by the gateway and answered with an IP specified for every ISP.
How this is working can be found in „ISP Redundancy and DNS“ of Advanced configuration options for ISP Redundancy
We are using Azures TrafficManager for these type of connection. TrafficManager can do a probing via ping or HTTPS or other to different destinations and then answers with an available destination.
Have a look at Cheap DNS Failover with Azure Traffic Manager
Wolfgang
This is typically done in/with your public DNS service provider if you host your primary zone with them.
If you host it locally, you can script it yourself.
You configure service probing to change the A record when it fails on the first target.
The solution with „DNS proxy“ for ISP redundancy does only work if you host your DNS internal. Queries from external for your DNS names are intercepted by the gateway and answered with an IP specified for every ISP.
How this is working can be found in „ISP Redundancy and DNS“ of Advanced configuration options for ISP Redundancy
We are using Azures TrafficManager for these type of connection. TrafficManager can do a probing via ping or HTTPS or other to different destinations and then answers with an available destination.
Have a look at Cheap DNS Failover with Azure Traffic Manager
Wolfgang
Hello together ...
i know this feature DNS Proxy for a long time, at its really doing what it is expected to do ... so far so good.
but now i have a different usecase:
When VPN tunnels or even when VPN Clients are connecting over the external interfaces and if DNS Proxy is enabled ... all DNS request are answered by the Firwall as it should be ...
but in many cases i want the VPN clients to get a response from the internal DNS ... so a Split DNS behavior ...
but iam failing to achive this ...
when i configure a Split DNS its not working ... with Split DNS enabled the Checkpoint Mobile says the version is not compatible ... maybe thats a different story?
Question:
Is it possible to exclude IP ranges or VPN or perhapes special suffixes from DNS proxy ???
or if this is not possible at all.
Split DNS ... who got it to work?
best regards
Thomas.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY