This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Thomas_Hennebe1
Participant
‎2021-02-16 07:49 AM
Jump to solution

ISP redundancy and DNS records for Web Servers in DMZ

Hello all,

I have a question regarding ISP redundancy and DNS records for Web Servers behind my firewall.

Lets say I have a R80.30 Cluster XL with one ISP. I have a reverse proxy in my dmz which services stuff like webmail and some webservers. Each service has a unique public IP which is resolvable via A record  for my domain from my externally configured DNS Servers. DNS looks like follows:

 

mydomain.com. 1800 IN NS ns1.dnsprovider.com
mydomain.com. 1800 IN NS ns2.dnsprovider.com
webmail.mydomain.com 1800  IN A 1.1.1.1 (sorry cloudflare, this is just an example)
webserver.mydomain.com 1800  IN A 1.1.1.2 (see above)

 

If I add a second ISP, how can I make sure that in case of failure of ISP 1 my web-services are still reachable? The documentation for ISP redundancy and DNS proxy is not clear to me.

Do I have to point my domains name servers to my two public ip addresses of my firewalls now so that the DNS proxy can resolve the correct external IP during failover (so change ns1.dnsprovider.com to the public external IP of my firewall)?

What happens for non-A-records? Do I have to configure the external DNS provider for the firewall to forward the traffic to?

Thanks for your help 😉

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Authority
Authority
‎2021-02-16 12:12 PM
Jump to solution

The solution with „DNS proxy“ for ISP redundancy does only work if you host your DNS internal. Queries from external for your DNS names are intercepted by the gateway and answered with an IP specified for every ISP. 
How this is working can be found in  „ISP Redundancy and DNS“ of Advanced configuration options for ISP Redundancy 

We are using Azures TrafficManager for these type of connection. TrafficManager can do a probing via ping or HTTPS or other to different destinations and then answers with an available destination.

Have a look at Cheap DNS Failover with Azure Traffic Manager 

Wolfgang

View solution in original post

3 Replies
Vladimir
Champion
Champion
‎2021-02-16 10:23 AM
Jump to solution

This is typically done in/with your public DNS service provider if you host your primary zone with them.

If you host it locally, you can script it yourself.

You configure service probing to change the A record when it fails on the first target.

0 Kudos
Wolfgang
Authority
Authority
‎2021-02-16 12:12 PM
Jump to solution

The solution with „DNS proxy“ for ISP redundancy does only work if you host your DNS internal. Queries from external for your DNS names are intercepted by the gateway and answered with an IP specified for every ISP. 
How this is working can be found in  „ISP Redundancy and DNS“ of Advanced configuration options for ISP Redundancy 

We are using Azures TrafficManager for these type of connection. TrafficManager can do a probing via ping or HTTPS or other to different destinations and then answers with an available destination.

Have a look at Cheap DNS Failover with Azure Traffic Manager 

Wolfgang

Thomas_Eichelbu
Advisor
Advisor
‎2021-09-20 02:02 AM
In response to Wolfgang
Jump to solution

Hello together ...

i know this feature DNS Proxy for a long time, at its really doing what it is expected to do ... so far so good.
but now i have a different usecase:

When VPN tunnels or even when VPN Clients are connecting over the external interfaces and if DNS Proxy is enabled ... all DNS request are answered by the Firwall as it should be ...


but in many cases i want the VPN clients to get a response from the internal DNS ... so a Split DNS behavior ...
but iam failing to achive this ...
when i configure a Split DNS its not working ... with Split DNS enabled the Checkpoint Mobile says the version is not compatible ... maybe thats a different story?

Question:
Is it possible to exclude IP ranges or VPN  or perhapes special suffixes from DNS proxy ???
or if this is not possible at all.
Split DNS ... who got it to work?

best regards
Thomas.

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top