How do I configure DNS Proxy on CP without moving NS record?

[blason]

Hi Fellas,

Per administration guide CP says "The Security Gateway, or a DNS server behind it, must respond to DNS queries and resolve IP addresses
that belong to publicly accessible servers in the DMZ (or another internal network). It is not necessary to
have an actual DNS server because the Security Gateway can be configured to intercept the DNS queries."

Now what exactly they mean by not necessary to have an actual DNS serverbut gateway can be configured to intercept the DNS queries? Does that mean I need to move or change the NS record for those hosts and point to CP's public IPs? Wondering how gateway can intercept DNS queries unless and until the NS record is not moved to gateway?

[mcnallym]

Under the ISP Redundnacy then there is a feature called DNS Proxy.

What this allows you do is configure your public host names for regular host lookup, within the SmartDashboard.
However and this is the big if, the DNS Proxy does not support ALL types of lookups, MX Records being a good one that it does not support.

The way it works is that you configure the NS for the Domain as being part of your Public IP block, and then NAT that IP through to a real DNS Server that hosts your Public Domain. If you don't then your mail doesn't work unless your mail uses a different domain to your other public services.

If your NS isn't part of your Public IP but your Domain is hosted outside then the DNS lookups never arrive at your Gateway so is a waste of time configuring the DNS Proxy.

What happens then is that a client looking to connect with a public resource requests a lookup and the request is forwarded to your NS IP. The traffic then arrives at the Check Point box as that is the route to the IP of the DNS Server. The DNS Proxy recognises is a dns lookup and intercepts the lookup request and responds with one of the two IP that you configure for the public service. If there is no entry in the DNS Proxy, or is an MX Record lookup then the DNS Proxy is not used and the DNS request is passed on through the Firewall to your DNS Server.

Personally I regard the ISP Redundancy feature on Check Point as a "tick box", it's there but like Connect Control would you use it in a real environment, or would you go get a real solution.

[blason]

So per you this is what happens. Lets say my domain is example.com with ns ns1.thirdparty.com. webserver hosted behind my checkpoint gateway with ips say 1.1.1.1 & 2.2.2.2 natted with 172.16.3.10

I am accessing Example Domain so
1. I'll query to ns.thirdparty.com which will then return A record of Example Domain i.e. 1..1.1.1 and 2.2.2.2
2. Browser will then try to connect to the first ip and packet received on isp 1 which is 1.1.1.2 since its A query it gets intercepted and appropriate IP gets returned.

Am I right?

[mcnallym]

So per you this is what happens. Lets say my domain is example.com with ns ns1.thirdparty.com. webserver hosted behind my checkpoint gateway with ips say 1.1.1.1 & 2.2.2.2 natted with 172.16.3.10

I am accessing Example Domain so
1. I'll query to ns.thirdparty.com which will then return A record of Example Domain i.e. 1..1.1.1 and 2.2.2.2
2. Browser will then try to connect to the first ip and packet received on isp 1 which is 1.1.1.2 since its A query it gets intercepted and appropriate IP gets returned.

Am I right?

No. If you are using ns.thirdparty.com as the DNS to host the records for yourdomain.com, then this is what will happen.

1.) Attempt to access www.yourdomain.com
2.) DNS performs lookup which will be answered by ns.thirdparty.com, depending upon how that is setup will respond with an IP address, for arguments sake let us say it is set to respond in a Round-Robin manner for 1.1.1.2 and 2.2.2.2. ie first query gets 1.1.1.2, second query gets 2.2.2.2. It hasn't gone anywhere near your Check Point Gateway
3.) Browser will attempt to access that IP address that it recieves, let us say that it gets the 1.1.1.2.
4.) Traffic is routed down ISP-1 Link to the Firewall, where the Firewall will NAT the 1.1.1.2 through to the 172.16.3.10 Server in the DMZ as normal.
5.) Browser gets the web page displayed as normal.

As the client has already done the DNS lookup before sending the traffic to the WebServer then there is no DNS query at the Firewall for it to be interecepted.

If you are using an external 3rd party DNS Server to host your Public Domain then DNS Proxy on ISP Redundancy is of no use to you as the DNS Queries never come to the Firewall. It is only if you hosted the Public Domain at ns.yourdomain.com and locate the DNS Server behind your Firewall that the DNS Proxy gets involved.

[blason]

Absolutely, this is what I wanted to know and it is imperative that to host DNS server internally for my zone so that queries will be intercepted and appropriate IPs will be returned. This would not work if my NS record is hosted somewhere as the A query would never reach to my firewall.

So to sum up I need to bring my NS server behind checkpoint firewall and then enable DNS proxy and off course for MX record I can be good with priorities and achieve the redundancy.