CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: Inbound loadbalancing with DNS for Sub-domain

  1. #1
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Inbound loadbalancing with DNS for Sub-domain

    Hey All,

    Here is my scenario and would need your insights. Now I have R77 on 4800 with ISP links. My main zone lets say example.com has NS server located elsewhere. I need to loadbalance the mail services that is users connecting to mail server for port 110/143 for hostname mail.example.com. it does not look like to move an complete NS record hence I am planning to put a sub-domain mail.example.com on BIND server which will be natted with each of the ISP IPs.

    Or per document seems Checkpoint can act as a DNS server so can I have CP to act as a DNS server for sub-domain mail.example.com??
    ##########################
    Configuring Security Gateway as DNS
    The Security Gateway, or a DNS server behind it, must respond to DNS queries. It resolves IP addresses of servers in the DMZ (or another internal network).
    ##########################

    Wanted to know if this scenario would work?

  2. #2
    Join Date
    2007-06-04
    Posts
    3,301
    Rep Power
    17

    Default Re: Inbound loadbalancing with DNS for Sub-domain

    The DNS Proxy would resolve the name to IP, however you would need to ensure that the DNS Server located in the DMZ handles the actual MX Record lookup.

    If you read through the DNS Proxy completely then all it can handle are simple Hostname to IP address queries

    What the DNS effectively does is you configure a DNS Server and install into the DMZ. This is then Publicly available on both ISP lines.
    You then point the authorative DNS entry to the Public IP of your DMZ located DNS Server(s)

    DNS lookups to the Domain are then sent through to the DNS Server in your DMZ.

    The DNS Proxy intercepts these DNS lookups and if has a host entry in the DNS Proxy responds with the corresponding IP.
    If there is no entry or is an MX lookup etc then the DNS query is passed through to the DNS Server to respond with.

    As such Check Point does NOT become a DNS Server, but simply becomes a DNS Proxy that can intercept basic DNS requests, for handling Mail Lookups then you would still need to have your.

    If you are simply performing a DNS lookup for mail.sub-domain.domain.com as an A Record lookup then providing that the DNS entry exists in the DNS Proxy then yes would respond with ISP-1 or ISP-2 addresses depending upon how you configure the ISP Redundancy, so would balance the traffic across both ISP links to the same Server.

    In order for this to work however your NS needs to pointing to your DMZ located DNS Server. If your NS fort he Domain is located elsewhere then the DNS request goes off there and never reaches the Check Point so would fail.

  3. #3
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Re: Inbound loadbalancing with DNS for Sub-domain

    I got it. So in short CP can not act as a DNS server rather it would act as a DNS proxy server and will respond on behalf of DNS server or NS server placed behind.

  4. #4
    Join Date
    2007-06-04
    Posts
    3,301
    Rep Power
    17

    Default Re: Inbound loadbalancing with DNS for Sub-domain

    That is correct, you still need to have your DNS Server to handle the DNS requests that the DNS Proxy cannot handle. ie anything then a simple a record lookup.

Similar Threads

  1. DNS over VPN - VPN-1 Edge not passing domain DNS?
    By rubber_chicken in forum Check Point UTM-1 Edge Appliances
    Replies: 8
    Last Post: 2013-05-02, 03:31
  2. Power-1 11067 2x10Gb interfaces loadbalancing (8021ad) bonding
    By pekka.kovesjarvi in forum Check Point Power-1 Appliances
    Replies: 4
    Last Post: 2012-03-27, 09:30
  3. DNS > Domain Block List: Doesn't work
    By boldin in forum IPS Blade (Formerly SmartDefense)
    Replies: 1
    Last Post: 2010-06-11, 10:39
  4. inbound DNS configuraton problem
    By Brian in forum ISP Redundancy
    Replies: 3
    Last Post: 2007-12-03, 18:07
  5. Loadbalancing among two routers in the same subnet
    By sdesse in forum ISP Redundancy
    Replies: 2
    Last Post: 2006-07-12, 02:41

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •