Tim,

Looking at the relevant section of crypt.def, on Solaris, I see
        define USERC_DECRYPT_SRC {
            (
        #ifndef ENCDNS
                not(dport = SERV_domain, (udp or tcp)),
        #endif

I have added a line above this, saying
        #define ENCDNS
which functions in exactly the same way as in 4.0

I assume that the authors of the VPN document for Checkpoint 2000 didn't
properly check the system when writing page 155.


Tim

-- 
Timothy Frost                   mailto:[EMAIL PROTECTED]
EDS New Zealand                 Fax: +64-4-495-0473
8 Gilmer Terrace                        Phone: +64-4-495-0504
P O Box 3647
Wellington
New Zealand

> -----Original Message-----
> From: Chilton Tim [SMTP:[EMAIL PROTECTED]]
> Sent: Friday, July 28, 2000 12:23 AM
> To:   [EMAIL PROTECTED]
> Subject:      [FW1] SecureRemote - DNS not encrypting
> 
> 
> Hi,
> 
> I've been looking a problem with SecureRemote where DNS is not encrypting
> (which puzzles me since I can think of no reason any sysadmin would want
> their entire internal DNS internet visible !)
> 
> Tech stuff
> 
>       FW -  NT4, SP6a, CP2000 4.1 SP1 +hotfix (build 41603)
>       Client NT4, SP6a, SR build 4157
>       Encryption rule is using FWZ encryption.
> 
> Client encryption rule
>       SRUsers Any     Any     Client Encrypt
> 
> I can dial-up, authenticate and do everything except DNS queries (which
> show
> as unencrypted in a packet trace on the workstation)
> 
> The CP2000 VPN book includes a section on encrypting DNS and I've done the
> dnsinfo.c, userc.c updates etc, however the crypt.def update does not in
> any
> way match the code that is already there. - there is an "#ifdef
> SECUREREMOTE" code block that appears in the existing curly brace section.
> 
> Question : Is the CP2000 book wrong or does the existing code get removed,
> added before, after, etc  (Seeing a couple of surrounding lines in the
> printed code extract would be handy !
> 
> Question - Checkpoint -- WHY would I not want to encrypt internal DNS
> queries like the rest of my traffic ?-- after all my rules base that I
> want
> to download says "Remote -> Any for Any" -- not "Remote -> Any for
> anything
> but DNS"
> 
> Anyone seen this or better still know of a fix ?
> 
> Cheers
> 
> Tim
> ************************************************************************
> The information in this email is confidential and is intended solely
> for the addressee(s).
> Access to this email by anyone else is unauthorised. If you are not
> an intended recipient, you must not read, use or disseminate the
> information contained in the email.
> Any views expressed in this message are those of the individual sender,
> except where the sender specifically states them to be the views of
> The Capital Markets Company.
> 
> http://www.capco.com
> ***********************************************************************
> 
> 
> 
> ==========================================================================
> ======
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to