CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 8 of 8

Thread: Virtual systems with different DNS servers

  1. #1
    Join Date
    2006-03-21
    Posts
    87
    Rep Power
    13

    Default Virtual systems with different DNS servers

    Hi all,

    I am building a new VSX gateway with some virtual firewalls. Part of the requirements is to configure different DNS servers depending on the logical allocation of each virtual system.

    Example:
    Internal VS will query internal DNS
    External VS will query external DNS

    As far as I can see the DNS settings are set in Gaia for VS0 and shared with all the virtual systems. It seems to be limited setting different DNS for each VS.

    Can anyone confirm whether is possible to tweak any setting to make this happen.

    Platform:
    Check Point 13800
    Gaia R80.10

    Thanks!

    Ed

  2. #2
    Join Date
    2006-06-07
    Posts
    21
    Rep Power
    0

    Default Re: Virtual systems with different DNS servers

    I've never found one.

    You can set different DNS Servers for each VS where using Mobile Access Blade in that on each VS then use different DNS Servers for the Mobile Access but the general DNS is stil the ones configured on the base VS0.

    Can specify Private Authentication Servers so that each VS goes direct rather then through VS0 but not seen anything for changing for DNS on the unit.

  3. #3
    Join Date
    2006-03-21
    Posts
    87
    Rep Power
    13

    Default Re: Virtual systems with different DNS servers

    Quote Originally Posted by mdjmcnally View Post
    I've never found one.

    You can set different DNS Servers for each VS where using Mobile Access Blade in that on each VS then use different DNS Servers for the Mobile Access but the general DNS is stil the ones configured on the base VS0.

    Can specify Private Authentication Servers so that each VS goes direct rather then through VS0 but not seen anything for changing for DNS on the unit.
    Hi there,

    Thanks for your answer. Yes, indeed I have read what you've mentioned in the documentation. However, we are not necessary enabling Mobile Access in the VS'es, moreover, the DNS requirements are to enable VS for name resolution.

    Anyways! seems to be a CP limitation for now. Thanks again for your comment!

    Regards

    Ed

  4. #4
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    265
    Rep Power
    12

    Default Re: Virtual systems with different DNS servers

    Current VSX actually has very little "virtual" about it. It's implemented like rdomains on OpenBSD or VRFs on Cisco. Same OS, just multiple routing tables. There's one kernel, one filesystem, one user database (and one authentication subsystem; no per-VS RADIUS), one PID space, and so on, including one DNS resolver stub.

    Since name resolution is done by the OS, not by the routing table, policy-based routing won't help either.
    Zimmie

  5. #5
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,630
    Rep Power
    9

    Default Re: Virtual systems with different DNS servers

    Quote Originally Posted by eduardoxmunoz View Post
    Hi all,

    I am building a new VSX gateway with some virtual firewalls. Part of the requirements is to configure different DNS servers depending on the logical allocation of each virtual system.

    Example:
    Internal VS will query internal DNS
    External VS will query external DNS

    As far as I can see the DNS settings are set in Gaia for VS0 and shared with all the virtual systems. It seems to be limited setting different DNS for each VS.

    Can anyone confirm whether is possible to tweak any setting to make this happen.

    Platform:
    Check Point 13800
    Gaia R80.10

    Thanks!

    Ed
    Could you hack it what NAT rules?

    src: fw1 dst:DNS1, nat src: orginal, nat dst:magic_dns_1
    src: fw2 dst:DNS1, nat src: orginal, nat dst:magic_dns_1

    Each VS could have its own nat rule.

  6. #6
    Join Date
    2006-03-21
    Posts
    87
    Rep Power
    13

    Default Re: Virtual systems with different DNS servers

    Quote Originally Posted by jflemingeds View Post
    Could you hack it what NAT rules?

    src: fw1 dst:DNS1, nat src: orginal, nat dst:magic_dns_1
    src: fw2 dst:DNS1, nat src: orginal, nat dst:magic_dns_1

    Each VS could have its own nat rule.
    That's a tricky idea that actually might work... Thanks for that! I will check it out and see how it goes.

    Challenges that I can foresee, fw objects cannot be used in NAT rules... but easy to fix with a host object.
    Performance maybe?
    Quite confusing to manage
    Standby behaviour for VSX clusters

    Have you tried it in production before?

    Thanks again for the idea! Good one ;)

    Regards

    Ed

  7. #7
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    265
    Rep Power
    12

    Default Re: Virtual systems with different DNS servers

    There are a few reasons that actually won't work.

    DNS resolution is handled by the single stub resolver at the OS level. It sends all requests to the configured DNS servers from VS0 using VS0's routing table. There is no way to differentiate at a network level which request was made by a process in which VRF/VS. Imagine it like all of the VSs being set to use VS0 as a DNS proxy, then VS0 being the only one which actually puts DNS traffic on an interface.

    Even if that were not the case, by default, destination NAT happens on the client side (between i and I, in fw monitor terms). This is the default to let normal routing handle routing for your translated traffic as well. This is a global setting. If you disable it, you may need to add a lot of routes to ensure translated traffic gets where it should go.
    Zimmie

  8. #8
    Join Date
    2006-03-21
    Posts
    87
    Rep Power
    13

    Default Re: Virtual systems with different DNS servers

    Quote Originally Posted by Bob_Zimmerman View Post
    There are a few reasons that actually won't work.

    DNS resolution is handled by the single stub resolver at the OS level. It sends all requests to the configured DNS servers from VS0 using VS0's routing table. There is no way to differentiate at a network level which request was made by a process in which VRF/VS. Imagine it like all of the VSs being set to use VS0 as a DNS proxy, then VS0 being the only one which actually puts DNS traffic on an interface.

    Even if that were not the case, by default, destination NAT happens on the client side (between i and I, in fw monitor terms). This is the default to let normal routing handle routing for your translated traffic as well. This is a global setting. If you disable it, you may need to add a lot of routes to ensure translated traffic gets where it should go.
    Yes, no discussion that if it works, managing will be messy with routing and NAT's

Similar Threads

  1. VSX - Virtual Systems not sending logs to MDS
    By ravindra692 in forum R77.30
    Replies: 7
    Last Post: 2017-12-24, 18:35
  2. Replies: 4
    Last Post: 2017-12-13, 04:24
  3. Failing over virtual systems question
    By jmillercw in forum VPN-1 VSX
    Replies: 4
    Last Post: 2015-01-25, 12:23
  4. using bonding interfaces in Virtual Systems
    By zenitt in forum Check Point VSX/VSX-1 Appliances
    Replies: 1
    Last Post: 2012-10-04, 05:53
  5. Timeout setting on vsx and virtual systems
    By eduardw in forum VPN-1 VSX
    Replies: 6
    Last Post: 2008-10-25, 11:24

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •