Setting up DNS Proxy

[EBnycLuis]

Hey guys, so after setting up the ISP redun, it works great!

now i want to setup our internal email server (OWA feature) to be accessable from either lines if 1 line goes down.

example webmail.emailserver.com -> 1.1.1.1 ISP 1 main line
if the line goes down i want it to point to 2.2.2.2 ISP 2 backup line

In the CP fw toplogy-> isp redun -> DNS Proxy i set it up just like that

webmail.emailserver.com = host name
1.1.1.1 = main isp
2.2.2.2 = backup isp.

with DNS TTL of 15 seconds?


now what is my next step. i have the dns setup with my DNS servers externally so it has an A recond for webmail.emailserver.com 1.1.1.1
do i just place a second A record to point to 2.2.2.2 also? im not a big DNS guru so i need some help.

[mcnallym]

If your DNS is held externally then the DNS Proxy on your gateway won't be used. Your DNS requests will not be sent to you but your DNS Hosting company.

ISP Redundancy does really need to use an internally hosted DNS Server to work correctly as designed, so that it can use the DNS proxy. However what you can do is create 2 A Records with different hostnames

You will then need to make your MX Record point at both A Records, with ISP-1 IP address having a higher priority. This will ensure that if ISP-1 line fails then mail will be sent to the secondary address.

I am not aware that your DNS Hosting company can tell if your line is down so A records for other services will only have 1 IP address for them and so won't failover. This is why Check Point say to host your own DNS Server so that the requests for DNS lookups are sent through the firewall where the DNS Proxy can intercept A record lookups and pass on things like MX Records to the DNS Server.

If the only service you have is Mail then not a problem as you can use a lower priority for the second IP address in the MX Record.

Hopefully this makes sense.

Michael McNally.

[EBnycLuis]

Sorry, i forgot to mention that its not mail being relayed or passed through. This is for OWA access only. for people to go in and get their mail. no mx records at all. only A rec.

we do have some PDA's that have activesync so this def. has to work . all it will be doing is a https request.

so now if i have to setup the dns on the fw correct? <-- is there a howto?

..what will be my next steps?

[mcnallym]

Where is the DNS for your public domain held. Is it on a server at your office or is it with your Domain Registrar on there server. From your original statement then I believe that your DNS Server is on yor Domain Registrars Server.

The DNS proxy on the firewall works by intercepting A Record DNS requests and responding with IP addresses configured in the DNS Proxy. It relies on having a proper DNS Server in your DNS that is responsible for resolving MX records or other non A Record requests. If it is not an A record request then the DNS Proxy ignores the request and allows the request to move onwards to the actual DNS Server. Looking at your original post then you have already figured out how to configure the DNS Proxy.

If the DNS is held at your Registrar on there DNS Servers then the requests will not be sent through the Firewall so the DNS Proxy cannot respond as it does not see the request, as these are all sent to the DNS Server at the Registrar.

One possible workaround would be to create a DNS Server inside the DMZ and statically NAT this through both ISP ranges. Configure the device to use ISP-1 DNS along with ISP-2 DNS as a backup, then if ISP-1 is down it gets no response and so sends to the ISP-2 DNS address and the request for the owa server would be intercepted. If you had a forwarder on the DNS server pointing at an Internet DNS Server then could look at web as normal.

This would be a work around however and require that whatever accesses the owa server uses your DMZ based DNS Server as there DNS Server, and I am not sure how practical to do for PC's as may not have permissions to do this. It will also require you to have a DNS Server in yoru DMZ. It would probably be just as easy to host your own DNS rather then have the Domain Registrars Servers do it.

[ccnpding]

EBnycLuis,
any progress on DNS proxy? i have the same senario as you, OWA FOR users from public internet to access OWA webmail.
i have a DNS for external usage hosted in my DMZ as primary DNS server, the secondary DNS server is hosted on a ISP side.
my vendor told me that i should change the DNS server setting to delegate the subdomain of webmail.xxx.com to two of my FW's IP addresses. but but my Dns runs on Unix, and i don't know how to configure DNS delegation in unix.
also, i think the DNS proxy setting's "configure", the host should be host name like "mail.webmail.xxx.com",but the vendor said it should be subdomain"webmail.xxx.com".

wish to get your feedback.

[mcnallym]

Do not think of the DNS proxy in Check Point as a DNS Server. It is not.

The IP address that should be published to the world as where to resolve for your domain name should an IP address from each public range. These two addresses should then be NATTed through to the DNS Server in the DMZ.

I purchased a domain from Domain name registration from 123-reg and in there DNS Control Panel is configuration where you tell them which DNS Servers will be primary/secondary etc for your domain. They suggest that unless hosting your own DNS Server to leave as there DNS Servers.

In your case it would be the Public IP addresses that your DNS server is NATTed too.

You do not need to delegate any subdomain to the Firewall as all it does is intercept the DNS request sent to your DNS Server. It will see if it is an A record and if it is will see if there is a matching record in the DNS Proxy and if there is a match then responds with an IP address. For other DNS records like MX then the request is ignored by the DNS Proxy, and is Address Translated and forwarded to the DNS Server. Your DNS Server will therefore be responsible still for all subdomains of mydomain.com. You would only delegate if it was a full DNS Server.

The entry in the DNS proxy should match what you are going to have the users type in to access the OWA.

ie if you want them to type

owaserver.mydomain.com/folder_name

then you would have an entry as

owaserver.mydomain.com with an IP from each Public IP range.

folder_name obviously depends upon Exchange version, as is different per Exchange Server version.

As long as mydomain.com DNS lookups are sent through the Firewall with the DNS proxy then this should work.

[ccnpding]

thanks mcnallym.
what kind of DNS records should be used in the purblic DNS server?
A record like "owaserver.webmail.mydomain.com" x.x.x.x
or NS record like"webmail.mydomain.com" x.x.x.x
pointing to my FW's two IPs?

now i have NS record of "webmail.mydomain.com", and when i nslookup "webmail.mydomain.com", it responds with the FW's IPs. and butwhen i tried to ping "owaserver.webmail.mydomain.com" and "webmail.mydomain.com", it said "Ping request could not find the host".

[mcnallym]

I will try and spell this out real clear as there seems to be some confusion here still.

THE CHECK POINT FIREWALL IS NOT A DNS SERVER AND SHOULD NOT BE TREATED AS IF IT IS A DNS SERVER.

You should configure your DMZ based DNS Server as if the Check Point DNS Proxy is not there. The DMZ based DNS Server will need to be the authoritative DNS Server still for your domain and sub domains. As such you will not need any NS Records in the public DNS Server as it will be the authoritative DNS Server for your domain, and any subdomains

What you configure in the DNS Proxy settings are the equivalent of A Records. Check Point DNS Proxy will intercept the DNS lookups heading to your DMZ based DNS Server and then if there is a matching entry then the DNS Proxy will respond. If there is no matching entry or it is a non A Record lookup then the request is passed through to the DMZ DNS Server.

As far as the Public DNS system is concerned then the Firewall is not involved and you should not send DNS requests to the Firewall.

[ccnpding]

mcnallym, thanks.
But in my senario we have a primary DNS server in DMZ and the secondary DNS is located at a ISP, the changes of primary DNS will be replicated to the secondary DNS server. so any internet query of "mydomain.com" will be answered by the secondary DNS server.
so this seems a bit different with your assumption, then what should be done with this senario?

this is really an interesting issue, and i seldom find people use this DNS proxy successfully like my senario. wish to get your advice.

[mcnallym]

For the DNS Proxy to be used then the DNS requests MUST to be sent through the firewall to a DNS Server that is hosted in your DMZ or Internal Network.

If the Internet based DNS Server is where the requests are sent to for your domain then the Firewall will not see any DNS requests and so the DNS Proxy will not be used.

As such if you cannot use your DMZ based DNS Server as the server that all requests for your domain and sub-domains are sent too then the DNS Proxy settings in ISP Redundnacy will not be used and so you may as well turn them off.

[ccnpding]

i c. many thanks, your reply really hits it.
by the way.
without checkpoint FWs, any other solutions to solve the load balancing or redundancy issues ?

[mcnallym]

You are looking at an external load balancer like an F5, I haven't used them myself but when chatting with Nokia about this sort of thing they talk about F5 load balancers.

IPSO 4.2 seems to have some settings regarding external load balancers however wether this works with the Nokia running Check Point I don't know.

They aren't particularly cheap but the alternative is some big complex BGP installation, which is possibly overkill for you.

The Check Point ISP Redundancy is a pretty basic system in my opinion, and is a good way of migrating ISP's I have found but is suitable really only for the SMB market, who are unlikely to be running there own DNS Servers.

From what I have seen of them then the Stonesoft Firewall's implementation is better, and the interface looks remarkably Check Point like, as the developers are ex Check Point.