CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: DNS Return Traffic being blocked

  1. #1
    Join Date
    2009-05-27
    Posts
    11
    Rep Power
    0

    Default DNS Return Traffic being blocked

    Hi,

    I have an strange problem and I am not 100% sure what may be causing it. I am currently running Gaia and R77.30. I have a log server on a SMART1 appliance and a core firewall on a 61000 appliance. The log server uses the core firewall as its default gateway.

    The log server is attempting to reach a DNS server behind a different interface on the core firewall. When the log server makes a DNS request to an internal DNS server behind a different interface on the core firewall I see an allow entry in the connections table but I see a NEW entry on the return traffic coming back which is hitting my clean up rule. Both the to and from traffic are coming though the correct interfaces and taking the same path. When the log server falls back to use an external DNS server only one connection entry is made and everything works hunky dorey.

    There is no NAT applied to the log server or the internal DNS server. The timestamp is exactly the same. I am not sure why an additional entry is being created. Thanks in advance!

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,251
    Rep Power
    14

    Default Re: DNS Return Traffic being blocked

    Quote Originally Posted by gojericho0 View Post
    Hi,

    I have an strange problem and I am not 100% sure what may be causing it. I am currently running Gaia and R77.30. I have a log server on a SMART1 appliance and a core firewall on a 61000 appliance. The log server uses the core firewall as its default gateway.

    The log server is attempting to reach a DNS server behind a different interface on the core firewall. When the log server makes a DNS request to an internal DNS server behind a different interface on the core firewall I see an allow entry in the connections table but I see a NEW entry on the return traffic coming back which is hitting my clean up rule. Both the to and from traffic are coming though the correct interfaces and taking the same path. When the log server falls back to use an external DNS server only one connection entry is made and everything works hunky dorey.

    There is no NAT applied to the log server or the internal DNS server. The timestamp is exactly the same. I am not sure why an additional entry is being created. Thanks in advance!
    Has the UDP virtual session timeout of 40 seconds in Global Properties...Stateful Inspection been changed from the default? Also has a custom timeout been created for the domain-udp service on its advanced button? Any chance the DNS replies are taking more time than the configured amount? (unlikely)

    Any chance Aggressive Aging is active? (Run fw ctl pstat to check). DNS is a favorite target of Aggressive Aging to get expired early.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  3. #3
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: DNS Return Traffic being blocked

    Quote Originally Posted by ShadowPeak.com View Post
    Has the UDP virtual session timeout of 40 seconds in Global Properties...Stateful Inspection been changed from the default? Also has a custom timeout been created for the domain-udp service on its advanced button? Any chance the DNS replies are taking more time than the configured amount? (unlikely)

    Any chance Aggressive Aging is active? (Run fw ctl pstat to check). DNS is a favorite target of Aggressive Aging to get expired early.
    Did you run tcpdump or fw monitor to analyze traffics? from the description you described, you're likely to have asymetric route.

    One way to confirm this is via tcpdump or fw monitor

  4. #4
    Join Date
    2014-07-21
    Posts
    57
    Rep Power
    6

    Default Re: DNS Return Traffic being blocked

    Hi,

    double check is you allow TCP und UDP for DNS port 53.
    Check in the log if it will be dropped because of some special "source port" for that traffic which is different from the one configured in your service. So it could be that domain-ns service has something strange configured in the source port which does not match your environment.

Similar Threads

  1. Routing question - Return traffic
    By dazzler in forum Miscellaneous
    Replies: 2
    Last Post: 2014-03-08, 18:18
  2. Reg: Response from server (return traffic) is denied in Cleanup rule.
    By ecesureshkumar in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 10
    Last Post: 2013-09-24, 05:18
  3. VOIP UDP traffic blocked over VPN
    By ktsoene in forum Voice over IP Blade (VoIP)
    Replies: 1
    Last Post: 2009-04-15, 06:44
  4. Live Messenger Traffic being blocked - SD Deactivated
    By hotice_ in forum Check Point UTM-1 Edge Appliances
    Replies: 2
    Last Post: 2008-08-19, 14:03
  5. Connection established .... no return traffic
    By Kheiron in forum SecureClient/SecuRemote
    Replies: 3
    Last Post: 2008-02-06, 20:35

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •