DNS configuration

[camel]

Hi all

our customer has a CP ISP redundancy installation running as following:

NGX R60A on SecurePlatform single GW distributed environment
DNS Proxy enabled
2 Pri DNS Servers for extrernal DNS behind FW

The hole config is not really good done and I wonder what/how to go further.

What I try to find out is how to configure the DNS Servers (not the CP DNS Proxy) for incommings DNS requests.
First of all, why do I need DNS Servers apart of CP DNS Proxy? CP interupts the type A requests set down the TTL and gives the IP of the active ISP. In that case, I don't need a DNS server apart, or do I??
Have I to define for www.example.com two IPs on each DNS Server or is it better to use one of them for ISP-1 and the other for ISP-2?
And which IP do the DNS systems have? One a IP from ISP-1 and the other from ISP-2?
Or is one DNS sufficient?

As it seams, there are no Sec. DNS on ISP site configured.... it looks all really bad and I never had worked with CP ISP redundancy before. So I would be really pleased if anyone could tell me how to handle the hole DNS stuff. CP istself doesn't tell anything about the config on DNS servers.

Thanks

[rhmeyering]

Every domain is required to have two domian name servers that are the Start of Authority (SOA) for their domain. Please read the related IETF RFC doccuments http://www.dns.net/dnsrd/rfc/ for more details, start with RFC's 1033 1nd 1035.

Check Point DNS Proxy will only intercept "A" record requests for your domain. You still need a DNS server to serve up MX, NS and perhaps a few CNAME records as well. Therefore, their must be a pair of DNS servers somewhere that act as the SOA for your domain.

I typically recommend that clients implementing ISP Redundancy have thier ISP delegate a zone (e.g. zone.domain.tld) and use ISP Redundancies DNS Proxy to answer "A" record DNS querries only for that {zone.domain.tld}. With Check Point's DNS Proxy you would create two "A" records for your various hosts {host1.zone.domain.tld ISP-A (1.1.1.1) and (host1.zone.domain.tld ISP-B (2.2.2.2)}.

In this way, the top level domain SOA can remain with your ISP who probably has more experience with DNS and more robust DNS servers. Moving your entire domain name (domain.tld) to a pair or DNS (SOA) server behind a single firewall is probaly not the best design choice.

Regardless, you will still need to have a pair of DNS servers that act as the SOA for your domain or delegated zone. The difference is the impact on your top level domain, traffic traversing your Internet links and change management. As far as instructions on how to implent DNS, check with your OS vendors (Readhat has some great links, so does Microsoft). Read the last microsoft link below for a great overview of DNS.

http://en.wikipedia.org/wiki/Domain_name_system

http://www.redhat.com/docs/manuals/e...e/ch-bind.html
http://www.xenocafe.com/tutorials/dn...dhat-part1.php
http://www.samspublishing.com/librar...eqNum=129&rl=1

http://support.microsoft.com/kb/172953
http://www.microsoft.com/technet/pro...n/w2kdns2.mspx

[camel]

Thanks Robert

Two DNS are essential, thats clear. In that case I will place a pri DNS at the customers site (lets say with a IP from ISP-1) and a sec DNS at the ISP-2 site . Is one ISP offline, I just lose one DNS server.

Does CheckPoint also answer reverse lookups?

seems that I don't have to configure the "A" records on the DNS servers itselfs, right?

[rhmeyering]

No, if your IP space is non-portable from ISP, your ISP is resposnible for PTR records since they own the IP addreess space.

Yes, I would popualte "A" records, NS Records and MX Records on the DNS servers. If CheckPoint DNS proxy fails at least you have something to answer the DNS querries. It might not ne load balanced but DNS can do round robin is you give it two IP for an "A" record, NS records will be load balanced due to the nature of DNS and "MX" records can have a priority (preference) give to each record.

[Danielpb]

I have a simmular question but this time with regards to Secure Clients connecting.

When a secureclient user tries to make an encrypted DNS call to a DNS server on the LAN, the GW is intercepting the A record query and returning its DNS proxy address (which will not work for the remote user as its configured to return an externaly routable address). If you do a set q=all on the client and run the query again, it correctly returns the internal address required as "Internet address - 10.x.x.x" - I assume this is because the gateway is not seeing it as just an A record query)

I have disabled the option on the ISP redundancy page to "apply settings to vpn traffic" - but to no avail.

many thanks.

[rhmeyering]

Daniel-

This will happen if your external DNS is the same as your internal DNS domain.

Bob

[Danielpb]

hi rhmeyering

I'm not sure I've got this right in my head??

Maybe i'm wrong but i thought:

If the remote clients use the local DNS server for name resolution which on this DNS box has the A record pointing to the 10.*.*.* address not the resolving to a public address. Should this not be enough for when remote client connect?

cheers

Dan