View Full Version : Inbound loadbalancing with DNS for Sub-domain

2013-11-20, 00:46
Hey All,

Here is my scenario and would need your insights. Now I have R77 on 4800 with ISP links. My main zone lets say example.com has NS server located elsewhere. I need to loadbalance the mail services that is users connecting to mail server for port 110/143 for hostname mail.example.com. it does not look like to move an complete NS record hence I am planning to put a sub-domain mail.example.com on BIND server which will be natted with each of the ISP IPs.

Or per document seems Checkpoint can act as a DNS server so can I have CP to act as a DNS server for sub-domain mail.example.com??
Configuring Security Gateway as DNS
The Security Gateway, or a DNS server behind it, must respond to DNS queries. It resolves IP addresses of servers in the DMZ (or another internal network).

Wanted to know if this scenario would work?

2013-11-20, 12:08
The DNS Proxy would resolve the name to IP, however you would need to ensure that the DNS Server located in the DMZ handles the actual MX Record lookup.

If you read through the DNS Proxy completely then all it can handle are simple Hostname to IP address queries

What the DNS effectively does is you configure a DNS Server and install into the DMZ. This is then Publicly available on both ISP lines.
You then point the authorative DNS entry to the Public IP of your DMZ located DNS Server(s)

DNS lookups to the Domain are then sent through to the DNS Server in your DMZ.

The DNS Proxy intercepts these DNS lookups and if has a host entry in the DNS Proxy responds with the corresponding IP.
If there is no entry or is an MX lookup etc then the DNS query is passed through to the DNS Server to respond with.

As such Check Point does NOT become a DNS Server, but simply becomes a DNS Proxy that can intercept basic DNS requests, for handling Mail Lookups then you would still need to have your.

If you are simply performing a DNS lookup for mail.sub-domain.domain.com as an A Record lookup then providing that the DNS entry exists in the DNS Proxy then yes would respond with ISP-1 or ISP-2 addresses depending upon how you configure the ISP Redundancy, so would balance the traffic across both ISP links to the same Server.

In order for this to work however your NS needs to pointing to your DMZ located DNS Server. If your NS fort he Domain is located elsewhere then the DNS request goes off there and never reaches the Check Point so would fail.

2013-11-20, 23:04
I got it. So in short CP can not act as a DNS server rather it would act as a DNS proxy server and will respond on behalf of DNS server or NS server placed behind.

2013-11-21, 03:32
That is correct, you still need to have your DNS Server to handle the DNS requests that the DNS Proxy cannot handle. ie anything then a simple a record lookup.