This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Lockout888
Explorer
‎2019-10-20 12:55 PM
Jump to solution

Redirecting DNS

Running R80.30 for home use, and I want to force my kids devices to use OpenDNS Family Shield DNS Servers, while allowing other devices to use regular DNS Servers.

I was able to do this with DD-WRT via MAC address by using these commands. Even if the DNS Servers were changed on the device manually, they were forced to use Family Shield.

iptables -t nat -I PREROUTING -i br0 -m mac --mac-source ##:##:##:##:##:## -p udp --dport 53 -j DNAT --to 208.67.222.123
iptables -t nat -I PREROUTING -i br0 -m mac --mac-source ##:##:##:##:##:## -p tcp --dport 53 -j DNAT --to 208.67.222.123

How do I accomplish this in GAIA?

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2019-11-05 05:58 AM
In response to cezar_varlan1
Jump to solution

It seems to me the correct approach is to block DNS to all servers but the ones you want to allow in the Access Policy.
The one(s) allowed would be provided by DHCP.

Destination NAT must be a 1 to 1 mapping (i.e. you cannot map multiple destinations to a single one using a single rule).
If you have clients that MUST use a specific DNS server that's not a preferred one, you could create a specific NAT rule that routes the request to your preferred destination.
Something like:

Original Source: Client IP range
Original Destination: 8.8.8.8
Original Service: DNS
Translated Source: Gateway (Hide)
Translated Destination: x.y.z.w
Translated Service: Original

View solution in original post

13 Replies
PhoneBoy
Admin
Admin
‎2019-10-22 02:23 PM
Jump to solution

You cannot write rules in terms of a MAC address in the Check Point security policy.
You can do it by IP and create NAT rules, however, with similar effect.
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-10-23 02:01 AM
Jump to solution

Make sure in your DHCP the kids always get the same IP, then setup an NAT rule with service DNS and their source IP's (in a group) and in the translated add the correct destination DNS server IP.
In the original destination you can test to see if any is allowed, otherwise create a group with known 'Open' DNS servers like 1.1.1.1 Cloudflare, 8.8.8.8 Google, 208.67.220.220 OpenDNS and your providers' DNS servers.
Regards, Maarten
0 Kudos
Lockout888
Explorer
‎2019-10-27 12:44 PM
In response to Maarten_Sjouw
Jump to solution

I have Original Source = IP Address Range.  Original Service = DNS. Original Destination will not allow Any.

When I create a Group for Original Destination and add some common DNS Servers to it, I get this error:

- NAT Rule 9: You cannot use the Network Group (DNS_Common) as the Original Destination.
The Network Group is only valid if the value of the matching translated column is 'Original'.
- Policy verification failed.
--------------------------------------------------------------------------------

0 Kudos
cezar_varlan1
Collaborator
‎2019-11-05 05:30 AM
In response to Lockout888
Jump to solution

I have a similar case where some LAN computers have the CKP GW address as DNS. As this one is GAIA, and not GAIA Embedded, it does not support DNS forwarding. I have tried a NAT rule and it does not work properly.

Any ideas on how to approach this subject raised by the original poster?

It looks like bind-like is basic functionality yet it is missing in CKP. The previous firewall was pfSense and we replaced that. Now we have noticed we have some missing functionality - and yes we can just reconfigure all clients to use proper DNS but that is not the point. The point is rather to force unruly or rogue clients (maybe on wifi) to use a filtered or specific DNS and not whatever they like DNS
0 Kudos
PhoneBoy
Admin
Admin
‎2019-11-05 05:58 AM
In response to cezar_varlan1
Jump to solution

It seems to me the correct approach is to block DNS to all servers but the ones you want to allow in the Access Policy.
The one(s) allowed would be provided by DHCP.

Destination NAT must be a 1 to 1 mapping (i.e. you cannot map multiple destinations to a single one using a single rule).
If you have clients that MUST use a specific DNS server that's not a preferred one, you could create a specific NAT rule that routes the request to your preferred destination.
Something like:

Original Source: Client IP range
Original Destination: 8.8.8.8
Original Service: DNS
Translated Source: Gateway (Hide)
Translated Destination: x.y.z.w
Translated Service: Original
John_Tomasetti
Contributor
‎2020-01-21 02:09 PM
In response to PhoneBoy
Jump to solution

Yep. I have the same requirement.

RFE ID: WZD-515-34316

 

0 Kudos
MariuszT
Explorer
‎2024-08-13 12:56 AM
In response to John_Tomasetti
Jump to solution

Hi,

I know that this topic is old, but... have anything changed in that matter? It would be nice to create only one NAT rule with source *any and prefered DNS server as destination, and not separate rules for each host.

Greetings,

Mariusz

0 Kudos
PhoneBoy
Admin
Admin
‎2024-08-13 07:41 AM
In response to MariuszT
Jump to solution

As far as I know, nothing has changed.
However, the above rule might work better like this:

Original Source: All_Internet
Original Destination: All_Internet
Original Service: DNS
Translated Source: Gateway (Hide)
Translated Destination: x.y.z.w
Translated Service: Original

This should translate any DNS packet traversing your gateway to your preferred DNS server hidden behind the gateway's external IP.
Whether this actually works is a separate question.

dnsmasq is also available, which appears to be enabled in R82 and possible to enable in other releases
This could be configured as a forwarding DNS server.

0 Kudos
MariuszT
Explorer
‎2024-08-13 09:10 PM
In response to PhoneBoy
Jump to solution

The rule you provided is not accepted during policy installation. The error is the same if in source is used *any/network/group object. It is only allowed to put host object in source field.

 

image.png

0 Kudos
PhoneBoy
Admin
Admin
‎2024-08-14 05:47 AM
In response to MariuszT
Jump to solution

You did not create the rule as I described.
The Translated Source must be changed to HIDE (not static as shown)
The Translated Destination must contain the specific DNS server you want to redirect requests to.

0 Kudos
MariuszT
Explorer
‎2024-08-14 07:33 AM
In response to PhoneBoy
Jump to solution

Hi, Thank you for the answer, but I'm not sure what do you mean... translated source (as on the picture in previous post) is in Hide mode (letter H on it). The translated destination is the DNS server in my LAB.

If this is wrong could you please share example how should it look like?

0 Kudos
PhoneBoy
Admin
Admin
‎2024-08-14 11:59 AM
In response to MariuszT
Jump to solution

Destination should probably be "any" instead of All_Internet...I believe that should resolve the validation issue.

0 Kudos
ClauberTeles
Explorer
‎2022-04-30 05:53 PM
In response to PhoneBoy
Jump to solution

Hey @PhoneBoy 
I know it's been a while since you posted this answer but I'm just replying to thank you. You're a lifesaver.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events