This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kosin_Usuwanthi
Collaborator
‎2019-01-02 07:40 PM

DNS flag day and DNS inspection

DNS flag day 

If there is a problem, the ednscomp tool displays an explanation for each failed test. Failures in these tests are typically caused by:

  • broken DNS software
  • broken firewall configuration

Firewalls must not drop DNS packets with EDNS extensions, including unknown extensions. 

How to prevent this impact on CheckPoint firewall ?

5 Replies
PhoneBoy
Admin
Admin
‎2019-01-02 08:20 PM

I ran this test from behind a Check Point gateway running IPS Optimized profile.

I also checked some other domains and got different results.

What specific results are you seeing?

0 Kudos
Kosin_Usuwanthi
Collaborator
‎2019-01-02 08:29 PM
In response to PhoneBoy

I have concern about firewall will drop reply packet more than 512 bytes.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-01-02 09:42 PM
In response to Kosin_Usuwanthi

As I said, I used the aforementioned site thru a Check Point gateway configured with an IPS Optimized profile and did not see any errors/drops in the logs.

I also saw results that varied depending on the domain I was checking, so I assume these checks are not being blocked.

If you have evidence otherwise, please provide it (exact domains, screenshots of logs, etc).

To the question you asked about the size of DNS packets, there is an Inspection Setting (IPS in R77.30 and earlier) called DNS Maximum Request Length.

This is set to Inactive by default (at least in R80.20).

Kosin_Usuwanthi
Collaborator
‎2019-01-02 10:45 PM
In response to PhoneBoy

Thank you Dameon.

0 Kudos
Victor_MR
Employee Employee
Employee
‎2019-01-25 10:13 AM

As you correctly pointed, one of the reasons for this to fail is a DNS server not updated accordingly. This is surely the most probably reason.

But if I'm not wrong...

The second option you say is also possible. If you're using R77.30 prior JHFA 345 (or an earlier major version), a Security Gateway with IPS enabled and the protection "Non Compliant DNS" set to Prevent may drop the EDNS queries to/from a corporate DNS server. If the protection status is set to Detect or Inactive, then it would not drop it.

Note that, in R77.30, there are two predefined profiles and this protection is set to Prevent by default in the "Recommended Profile".

This does not happen with R80.10 gateways, whatever the status of the "Non Compliant DNS" protection is. So, in case you're using R77.30 and have this protection in Prevent, you should change it to Detect, or to upgrade the Security Gateway. More info about this last option in the sk112578.

So, please check before 1st February if your DNS servers and also your infraestructure is prepared for this change (there is a test option in the link you've sent, 2019 | DNS flag day )

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events