Re: [FW1] beginner's question on DNS

To: "Scott Schindler" <[email protected]>, "Goetz, Jarrett" <[email protected]>, "Thuan Pham" <[email protected]>, "John Tanouye" <[email protected]>

Subject: Re: [FW1] beginner's question on DNS

From: "Carl E. Mankinen" <[email protected]>

Date: Thu, 10 May 2001 09:48:51 -0400

Cc: "[email protected]" <[email protected]>

References: <[email protected]>

Sender: [email protected]

Title: RE: [FW1] beginner's question on DNS

I have often wondered why they give you a check box to hang yourself with.

(I suppose the theory is you know what you are doing to get to this point right?)

I agree it is better to uncheck the implied rules and build explicit rules in your rulebase to accomplish same tasks.

The same can be said for NAT. I find the automatic NAT tabs on the objects useless, and prefer to manually build

all nat translation rules.

----- Original Message -----

From: Scott Schindler

To: Goetz, Jarrett ; Thuan Pham ; John Tanouye

Cc: [email protected]

Sent: Tuesday, May 08, 2001 10:18 AM

Subject: RE: [FW1] beginner's question on DNS

To take this one step further, NEVER check the accept domain name over TCP, in particulary if you host your own DNS servers! That is one of the easiest ways for an attacker to footprint your network.

Secondly, as the note below explains, take out as many checks in policy properties as possible and implement them explicitly. I recommend following Lance's building a firewall rulebase document at www.enteract.com/~lspitz.

-----Original Message-----
From: [email protected] [mailto:[email protected]]On Behalf Of Goetz, Jarrett
Sent: Sunday, May 06, 2001 11:53 PM
To: Thuan Pham; 'John Tanouye'
Cc: '[email protected]'
Subject: RE: [FW1] beginner's question on DNS
Importance: Low

I would suggest (maybe because of my paranoia :) that instead of using CheckPoints pseudo-implied rules from the policy properties dialog box (suggestion #4 below) to instead manually create a rule or possibly rules for any DNS actions you may need to occur. I think it is more secure not to use their rules and can help reduce the instance of certain problems or issues in the future. (i.e. say you want domain-udp to encrypt over site-to-site VPN links, you may forget that you have that implied rule and it is catching the query from hitting your VPN rules or something silly like that...)

Just my $0.02....

Jarrett

-----Original Message-----
From: Thuan Pham [mailto:[email protected]]
Sent: Thursday, May 03, 2001 12:12
To: 'John Tanouye'; '[email protected]'
Subject: RE: [FW1] beginner's question on DNS

        John:

        Here are some suggestions to check before proceeding further:

        1. Your DNS server is sitting on the DMZ zone.
        2. There is a static route that points to the DNS server on the router that the CheckPoint Firewall-1 is connected to.

        3. There is also a static route that point to the DNS server on the CheckPoint Firewall-1.
        4. ON the Security Policy Properties panel, ensure that the followings are checked:
                a. Accept Domain Name over UDP (Querries)
                b. Accept Domain Name over TCP (Zone Transfer)

        Hope this help.

        Thuan Pham

-----Original Message-----
From: John Tanouye [mailto:[email protected]]
Sent: Tuesday, May 01, 2001 3:23 PM
To: '[email protected]'
Subject: [FW1] beginner's question on DNS

Could anyone tell me how to set up DNS on Firewall-1? I have pretty much
everything else running. However nothing works, because I believe that the
DNS isn't set up.

Thanks,

John

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================