Is this latency with all external DNS resolution or just some? I had a similar problem on Solaris but only with certain queries. The reason for this is, DNS queries from DNS servers usually source from port 53 to port 53. FW-1 will translate this to a unused port below 1024, some authoritative dns servers don't like this. To force FW-1 to translate this query to a high port on Solaris add the following line to /etc/system.
* DNS translate low port requests to high ports set fw:fwx_udp_hide_high=0x35
According to phoneboy the correct syntax for IPSO is as follows but I've never tested it.
The steps are as follows: Stop the firewall (fwstop) On IPSO: modzap _fwx_udp_hide_high 0x35 $FWDIR/bin/fwmod.o Start the firewall (fwstart)
Hope this helps, Chris
straightLiners IT Security Team wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello !
I encounter the problem, that DNS resolution doesn't work out properly.
When a clients asks the internal DNS to resolve a host's name it takes seriously long resulting in a time-out. The internal DNS forwards the request to a specific external DNS server but obviously gets no answer. Instead its digging recursively a series of unknown DNS server. After about half a minute everything's fine and the host will resolve within a few ms.
When digging the external DNS directly everything's within normal response times.
I did a test setup at home using the same configuration files and everything's working out just fine.
The firewall is a hardware device from Nokia running Check Point Firewall-1.
Does anyone know that problem? Which ACLs work out fine and are secure, still? Any other ideas?
- --
straightLiners IT Consulting & Services IT Security Department Sebastian Schneider Metzer Str. 12 13595 Berlin Germany
Phone: +49-30-3510-6168 Fax: +49-30-3510-6169
Diese E-Mail enth�lt vertrauliche und/oder rechtlich gesch�tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt�mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
This E-Mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this E-Mail in error please notify the sender immediately and destroy this E-Mail. Any unauthorized copying, disclosure or distribution of the material in this E-Mail is strictly forbidden.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/XxnGHui/4z3QSJoRAjlRAJ9+NvgzqyhpspxoFKmwoQzRA/u6zgCaA0e3 8dOgXpqxu64G1OmUxNlC2gs= =KR+m -----END PGP SIGNATURE-----
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
