Virtual systems with different DNS servers

[eduardoxmunoz]

Hi all,

I am building a new VSX gateway with some virtual firewalls. Part of the requirements is to configure different DNS servers depending on the logical allocation of each virtual system.

Example:
Internal VS will query internal DNS
External VS will query external DNS

As far as I can see the DNS settings are set in Gaia for VS0 and shared with all the virtual systems. It seems to be limited setting different DNS for each VS.

Can anyone confirm whether is possible to tweak any setting to make this happen.

Platform:
Check Point 13800
Gaia R80.10

Thanks!

Ed

[mdjmcnally]

I've never found one.

You can set different DNS Servers for each VS where using Mobile Access Blade in that on each VS then use different DNS Servers for the Mobile Access but the general DNS is stil the ones configured on the base VS0.

Can specify Private Authentication Servers so that each VS goes direct rather then through VS0 but not seen anything for changing for DNS on the unit.

[eduardoxmunoz]

I've never found one.

You can set different DNS Servers for each VS where using Mobile Access Blade in that on each VS then use different DNS Servers for the Mobile Access but the general DNS is stil the ones configured on the base VS0.

Can specify Private Authentication Servers so that each VS goes direct rather then through VS0 but not seen anything for changing for DNS on the unit.

Hi there,

Thanks for your answer. Yes, indeed I have read what you've mentioned in the documentation. However, we are not necessary enabling Mobile Access in the VS'es, moreover, the DNS requirements are to enable VS for name resolution.

Anyways! seems to be a CP limitation for now. Thanks again for your comment!

Regards

Ed

[Bob_Zimmerman]

Current VSX actually has very little "virtual" about it. It's implemented like rdomains on OpenBSD or VRFs on Cisco. Same OS, just multiple routing tables. There's one kernel, one filesystem, one user database (and one authentication subsystem; no per-VS RADIUS), one PID space, and so on, including one DNS resolver stub.

Since name resolution is done by the OS, not by the routing table, policy-based routing won't help either.

[jflemingeds]

Hi all,

I am building a new VSX gateway with some virtual firewalls. Part of the requirements is to configure different DNS servers depending on the logical allocation of each virtual system.

Example:
Internal VS will query internal DNS
External VS will query external DNS

As far as I can see the DNS settings are set in Gaia for VS0 and shared with all the virtual systems. It seems to be limited setting different DNS for each VS.

Can anyone confirm whether is possible to tweak any setting to make this happen.

Platform:
Check Point 13800
Gaia R80.10

Thanks!

Ed

Could you hack it what NAT rules?

src: fw1 dst:DNS1, nat src: orginal, nat dst:magic_dns_1
src: fw2 dst:DNS1, nat src: orginal, nat dst:magic_dns_1

Each VS could have its own nat rule.

[eduardoxmunoz]

Could you hack it what NAT rules?

src: fw1 dst:DNS1, nat src: orginal, nat dst:magic_dns_1
src: fw2 dst:DNS1, nat src: orginal, nat dst:magic_dns_1

Each VS could have its own nat rule.

That's a tricky idea that actually might work... Thanks for that! I will check it out and see how it goes.

Challenges that I can foresee, fw objects cannot be used in NAT rules... but easy to fix with a host object.
Performance maybe?
Quite confusing to manage
Standby behaviour for VSX clusters

Have you tried it in production before?

Thanks again for the idea! Good one ;)

Regards

Ed

[Bob_Zimmerman]

There are a few reasons that actually won't work.

DNS resolution is handled by the single stub resolver at the OS level. It sends all requests to the configured DNS servers from VS0 using VS0's routing table. There is no way to differentiate at a network level which request was made by a process in which VRF/VS. Imagine it like all of the VSs being set to use VS0 as a DNS proxy, then VS0 being the only one which actually puts DNS traffic on an interface.

Even if that were not the case, by default, destination NAT happens on the client side (between i and I, in fw monitor terms). This is the default to let normal routing handle routing for your translated traffic as well. This is a global setting. If you disable it, you may need to add a lot of routes to ensure translated traffic gets where it should go.

[eduardoxmunoz]

There are a few reasons that actually won't work.

DNS resolution is handled by the single stub resolver at the OS level. It sends all requests to the configured DNS servers from VS0 using VS0's routing table. There is no way to differentiate at a network level which request was made by a process in which VRF/VS. Imagine it like all of the VSs being set to use VS0 as a DNS proxy, then VS0 being the only one which actually puts DNS traffic on an interface.

Even if that were not the case, by default, destination NAT happens on the client side (between i and I, in fw monitor terms). This is the default to let normal routing handle routing for your translated traffic as well. This is a global setting. If you disable it, you may need to add a lot of routes to ensure translated traffic gets where it should go.

Yes, no discussion that if it works, managing will be messy with routing and NAT's