FireWall-1 FAQ: DNS Not Working to Some Sites
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
DNS queries from DNS servers sometimes come from source port 53 to destination port 53. By default, FireWall-1 will translate this to a “low” (below 1024) unused port. Many authoritative DNS servers have a problem with this. There are three ways to fix this problem:
- Configure your DNS server to perform DNS queries with a non-privileged (i.e. above 1023) port. Current versions of BIND do this by default (not sure about other DNS servers)
- Configure your DNS server to have a static address translation.
- Configure FireWall-1 to translate the “low” port to a “high” port instead. I currently only know how to do this on Unix, not NT, so don’t ask. ;-)
The steps are as follows:
- Stop the firewall (fwstop)
On Solaris: echo “fwx_udp_hide_high ?W35” adb -w -k /dev/ksyms /dev/mem
On SunOS: echo “fwx_udp_hide_high ?W35” adb -w $FWDIR/modules/fwmod.4.1.x.o
On HP/UX: echo “fwx_udp_hide_high ?W35” adb -w /hp-ux
- On IPSO: modzap _fwx_udp_hide_high 0x35 $FWDIR/bin/fwmod.o
- Start the firewall (fwstart)
To make this change permanent on Solaris, add the following to /etc/system:
I’m told that this may not work (though it did when I tried it). If it doesn’t (or you’re not running Solaris), add the appropriate “echo” command to the end of the fwstart script.
Another possible reason for this is because some domains implement load balancing and the reply packet actually comes from a different IP address, which may cause a problem if you have “Enable DNS Domain Queries” unchecked in Policy Properties. In this case, the firewall will drop the reply packets. The way to resolve this is to set up your DNS forwarders on your internal DNS servers to use an external DNS server.