I'm assuming your DNS response time for internal servers/clients are fine. What O/S is the DNS server running on? Are you running bind internally or some other DNS server?
Have you run nslookup or dig in debug mode to see what the the client DNS request is actually doing? Are you allowing external DNS responses through the firewall? Can the internal DNS reach the IP address (e.g. not using a host name) of the external DNS server? -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of straightLiners IT Security Team Sent: Wednesday, September 10, 2003 8:32 AM To: [EMAIL PROTECTED] Subject: [FW-1] DNS and Check Point Firewall-1 on Nokia device -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello ! I encounter the problem, that DNS resolution doesn't work out properly. When a clients asks the internal DNS to resolve a host's name it takes seriously long resulting in a time-out. The internal DNS forwards the request to a specific external DNS server but obviously gets no answer. Instead its digging recursively a series of unknown DNS server. After about half a minute everything's fine and the host will resolve within a few ms. When digging the external DNS directly everything's within normal response times. I did a test setup at home using the same configuration files and everything's working out just fine. The firewall is a hardware device from Nokia running Check Point Firewall-1. Does anyone know that problem? Which ACLs work out fine and are secure, still? Any other ideas? - -- straightLiners IT Consulting & Services IT Security Department Sebastian Schneider Metzer Str. 12 13595 Berlin Germany Phone: +49-30-3510-6168 Fax: +49-30-3510-6169 Diese E-Mail enth�lt vertrauliche und/oder rechtlich gesch�tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt�mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This E-Mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this E-Mail in error please notify the sender immediately and destroy this E-Mail. Any unauthorized copying, disclosure or distribution of the material in this E-Mail is strictly forbidden. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/XxnGHui/4z3QSJoRAjlRAJ9+NvgzqyhpspxoFKmwoQzRA/u6zgCaA0e3 8dOgXpqxu64G1OmUxNlC2gs= =KR+m -----END PGP SIGNATURE----- ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= Note: This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Wang Trading LLC and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
