Re: [FW-1] DNS and Check Point Firewall-1 on Nokia device

[Chris Fant <cfant@FW1-NOSPAMEROLS.COM>]

Is this latency with all external DNS resolution or just some? I had a
similar problem on Solaris but only with certain queries. The reason for
this is, DNS queries from DNS servers usually source from port 53 to
port 53. FW-1 will translate this to a unused port below 1024, some
authoritative dns servers don't like this. To force FW-1 to translate
this query to a high port on Solaris add the following line to /etc/system.

* DNS translate low port requests to high ports
set fw:fwx_udp_hide_high=0x35

According to phoneboy the correct syntax for IPSO is as follows but I've
never tested it.

The steps are as follows:
Stop the firewall (fwstop)
On IPSO: modzap _fwx_udp_hide_high 0x35 $FWDIR/bin/fwmod.o
Start the firewall (fwstart)


Hope this helps,
Chris



straightLiners IT Security Team wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Hello !
>
> I encounter the problem, that DNS resolution doesn't work out properly.
>
> When a clients asks the internal DNS to resolve a host's name it takes
> seriously long resulting in a time-out. The internal DNS forwards the request
> to a specific external DNS server but obviously gets no answer. Instead its
> digging recursively a series of unknown DNS server.
> After about half a minute everything's fine and the host will resolve within
> a few ms.
>
> When digging the external DNS directly everything's within normal response
> times.
>
> I did a test setup at home using the same configuration files and
> everything's working out just fine.
>
> The firewall is a hardware device from Nokia running Check Point Firewall-1.
>
> Does anyone know that problem? Which ACLs work out fine and are secure,
> still? Any other ideas?
>
> - --
>
> straightLiners IT Consulting & Services
> IT Security Department
> Sebastian Schneider
> Metzer Str. 12
> 13595 Berlin
> Germany
>
> Phone: +49-30-3510-6168
> Fax: +49-30-3510-6169
>
> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
> Informationen. Wenn Sie nicht der richtige Adressat sind oder
> diese E-Mail irrtümlich erhalten haben, informieren Sie bitte
> sofort den Absender und vernichten Sie diese Mail. Das unerlaubte
> Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht
> gestattet.
>
> This E-Mail may contain confidential and/or privileged information.
> If you are not the intended recipient (or have received this E-Mail
> in error please notify the sender immediately and destroy this E-Mail.
> Any unauthorized copying, disclosure or distribution of the material
> in this E-Mail is strictly forbidden.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
>
> iD8DBQE/XxnGHui/4z3QSJoRAjlRAJ9+NvgzqyhpspxoFKmwoQzRA/u6zgCaA0e3
> 8dOgXpqxu64G1OmUxNlC2gs=
> =KR+m
> -----END PGP SIGNATURE-----
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV@amadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner@ts.checkpoint.com
> =================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================