I think the function you're referring to is called "DNS doctoring" by Cisco, and "DNS NAT" by Checkpoint. A vendor recently insisted we implement it here in a case in which a domain controller resided at the far side of a Checkpoint firewall performing NAT. We declined.
It is a poorly documented feature, but from what I could find I concluded that: 1) It is a global setting that affects all interfaces on all firewalls managed by your central Checkpoint SmartCenter server. It's set with a switch "fw_dns_xlation" in objects_5_0.C. When enabled, all DNS packets across all interfaces will be examined for payloads with an IP address matching an existing NAT rule. 2) No logging occurs when a DNS packet payload is doctored. This makes troubleshooting difficult. 3) DNS doctoring incurs some unknown amount of firewall processing and network latency overhead. I think you are correct that it doesn't support zone transfers. It also only works with static NAT, and only for DNS over UDP. Because it's so poorly documented, I don't fully trust my conclusions. If anyone has direct experience, please correct me. Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf > Of Peter Olsson > Sent: Friday, February 15, 2008 3:41 AM > To: [email protected] > Subject: [FW-1] Can Checkpoint firewall handle DNS through NAT? > > Our tests indicate that Checkpoint firewall has no support > whatsoever for DNS through NAT. Not for zone transfers and > not even for A records. > Is this true, or am I missing something? > > An internal DNS server, with a static adress translation in > the firewall, gives its internal IP number in responses to > AXFR and A queries from external hosts. > > I searched documentation and support but find nothing on the subject. > > Thanks! > > -- > Peter Olsson [EMAIL PROTECTED] > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an > email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription > options, email [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
