CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. Come to CPUG CON 2008 EUROPE in Switzerland on September 8th - 9th!
    Two days full of technical content for Check Point administrators in the beautiful Swiss Alps!
    We already have 52 attendees signed up from 14 countries!
2. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 8/25, 10/6, 11/3, 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3, 9/7.
3. Corrent S3500 SecureXL Turbocards For Sale - Last Six Remaining - Get Your Spares!
4. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > SmartDefense
Reload this Page SD Blocking DNS TKEY
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2006-10-27
mfavinsk mfavinsk is offline
Junior Member
  
Join Date: 2006-09-29
Posts: 10
Rep Power: 0
mfavinsk has an average reputation (10+)
Default SD Blocking DNS TKEY
I have some Windows servers trying to register their DNS A records with a Windows DNS server and SD is rejecting these attempts with a "DNS data is too long" error. I did some Ethernet sniffing and it looks like TKEY queries are being blocked.

I'm running R61, and according to Checkpoint they've supported TKEY since R60 HFA 01. But the error R60 HFA 01 fixed was an invalid RR type, not a data length issue.

Has anyone else seen this and know any workarounds?
Reply With Quote
  #2 (permalink)  
Old 2006-10-27
RayPesek RayPesek is offline
Senior Member
  
Join Date: 2006-03-19
Location: Northern Ohio
Posts: 873
Rep Power: 3
RayPesek has an average reputation (10+)
Default Re: SD Blocking DNS TKEY
R61 HFA01 was made available for download yesterday. Seems to me there was something in the release notes about DNS, but I don't remember what right now.

Ray
Reply With Quote
  #3 (permalink)  
Old 2006-10-27
mfavinsk mfavinsk is offline
Junior Member
  
Join Date: 2006-09-29
Posts: 10
Rep Power: 0
mfavinsk has an average reputation (10+)
Default Re: SD Blocking DNS TKEY
It does, but it's for a TSIG query, and the error message is "illegal RR", not the size message I'm seeing.
Reply With Quote
  #4 (permalink)  
Old 2006-10-28
RayPesek RayPesek is offline
Senior Member
  
Join Date: 2006-03-19
Location: Northern Ohio
Posts: 873
Rep Power: 3
RayPesek has an average reputation (10+)
Default Re: SD Blocking DNS TKEY
This article sk31051 titled " Enabling DNS TCP protocol enforcement" mentions a kernel parameter that can be changed to disable this check. It specifically mentions your "DNS data is too long" error message although it pertains to zone transfers. You might want to try its suggested fix. Or maybe there's a way to turn off DNS TCP checks in the GUI?

Since Check Point doesn't make its KB available without an appropriate subscription, I don't think it would be permissible to put the contents of the article here.

I'd open a case with Check Point as well.

Take care,

Ray
Reply With Quote
  #5 (permalink)  
Old 2006-10-31
mfavinsk mfavinsk is offline
Junior Member
  
Join Date: 2006-09-29
Posts: 10
Rep Power: 0
mfavinsk has an average reputation (10+)
Default Re: SD Blocking DNS TKEY
I actually read this article as well...

The way I understood it, it only applies to traffic between "Defined DNS servers" whereas the problem I'm seeing is between a DNS server and a lot of Windows clients.

I worked around this by turning off DNS "TCP protocol enforcement" in the GUI.

I just find it hard to believe that I'm the only person having this problem.
Reply With Quote
  #6 (permalink)  
Old 2007-06-04
Hitman Hitman is offline
Member
  
Join Date: 2006-05-11
Location: Montreal QC Canada
Posts: 36
Rep Power: 0
Hitman has an average reputation (10+)
Default Re: SD Blocking DNS TKEY
Hi,

I have the same problem, DNS data is too long between windows servers and Windows DNS server (only for domain-tcp service).

But i uncheck in Smart Defense DNS section: TCP protocol enforcement
and stiil have the error DNS data is too long. Then i uncheck UDP protocol enforcement too (just in case) but still have the error.

I have the Smart defence version 591070510

Thanks in advance
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 21:20.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0