[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] Firewall-1 NAT/DNS issue

To: sirving@ca.ibm.com
Subject: Re: [FW1] Firewall-1 NAT/DNS issue
From: sirving@ca.ibm.com
Date: Wed, 8 Sep 1999 11:17:48 -0400
Cc: "Espinola, Micheal" <micheale@ix.netcom.com>, "'Firewalls@lists.gnac.net'" <Firewalls@lists.gnac.net>, "'fw-1-mailinglist@lists.us.checkpoint.com'" <fw-1-mailinglist@lists.us.checkpoint.com>
If I remember right, I believe apple.com will only answer to queries that use
source 53 and dest 53.  I believe from the discussions that were around at the
time that they don't reply back to high ports since this is what client software
uses and they didn't want to talk to client machines.

If I am correct then the only workable solutions below would be to put in the
static mapping or an external dns


sirving@ca.ibm.com on 09/08/99 09:07:27 AM

Please respond to sirving@ca.ibm.com

To:   "Espinola, Micheal" <micheale@ix.netcom.com>
cc:   "'Firewalls@lists.gnac.net'" <Firewalls@lists.gnac.net>,
      "'fw-1-mailinglist@lists.us.checkpoint.com'"
      <fw-1-mailinglist@lists.us.checkpoint.com>
Subject:  Re: [FW1] Firewall-1 NAT/DNS issue




    [ Part 2: "Attached Text" ]

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set. Some ]
    [ characters may be displayed incorrectly. ]




Here is you answer from www.phoneboy.com.  There is also a fourth option not
mentioned and that is to put a caching only dns on the outside of your firewall
and setup your internal dns to forward to it.

DNS queries from DNS servers usually come from source port 53 to destination
port 53. By default, FireWall-1 will translate this to a "low" (below 1024)
unused port. Some authoritative DNS servers have a problem with this. There are
three ways to fix this problem:
·    Configure your DNS server to perform DNS queries with a non-privileged
(i.e. above 1023) port. Current versions of BIND do this by default (not sure
about other DNS servers)
·    Configure your DNS server to have a static address translation.
·    Configure FireWall-1 to translate the "low" port to a "high" port instead.
I currently only know how to do this on Unix, not NT, so don't ask. ;-)

<rant on>
And please, next time don't write a primer describing what NAT is.  I think we
all know what you are talking about.
<rant off>
"low" port to a "high" port instead. I currently only know how to do this on
Unix,

"Espinola, Micheal" <micheale@ix.netcom.com> on 09/07/99 01:17:28 PM

Please respond to "Espinola, Micheal" <micheale@ix.netcom.com>

To:   "'Firewalls@lists.gnac.net'" <Firewalls@lists.gnac.net>,
      "'fw-1-mailinglist@lists.us.checkpoint.com'"
      <fw-1-mailinglist@lists.us.checkpoint.com>
cc:
Subject:  [FW1] Firewall-1 NAT/DNS issue




    [ Part 3: "Attached Text" ]




Hi everyone,

This is my first question posting to this list, so please be easy on my lack
of firewall knowledge.  In the intro to my problem, I have tried to explain
what I *think* is going on in the process.  If you see anything wrong with
my interpretation, please feel free to correct me - the more the better.

Firewall-1 NAT issue:

Firewall-1 (FW-1), like many other enterprise-level firewall products has a
security-related functionality called Network Address Translation (NAT).
NAT in its purest definition is a process in which IP addresses are hidden
(by the firewall) between one side of the firewall (or possibly both) from
the other.

Like my company, many organizations depend heavily on NAT in order to
protect internal networked systems from outside access by preventing that
outside source from ever learning the internal system's IP address.

This feature of the NAT process is referred to as "Hiding".  FW-1 takes this
an additionally-secure step further by also performing the NAT process on
the port that the Internet communication is taking place on.  For example,
HTTP (World Wide Web) communications typically take place on port 80.

Because many important Internet-related functions take place on ports that
are within the 1-1023 range, FW-1's NAT translates communications taking
place within this port range, and changes them to a different port number
within the range of 600-1023.  This port range is non-modifiable.

This change of standard port-related communications to non-standard port
numbers can "break" the working functionality of an Internet
process/function because the receiving system may only allow certain
communications to occur only on a certain port.  Case in point:

Domain Name Service (DNS) is an Internet-related service that provides the
ability to "look-up" an Internet Domain Name address (i.e.
www.microsoft.com) and translate it into an IP address (i.e. 207.46.131.13).
All Internet communications are actually transacted by IP address only, so
DNS is essential to Internet communications.

This can be put in layman's terms by comparing the process to a telephone
call.  For instance, you may want to make a telephone call to " John Smith".
You cannot pick-up the telephone and place a call to "John Smith's" name.
You need to call an information service (i.e. 411 is an information service
in the US), to find out what "John Smith's" phone number is (i.e. 555-1212).

Because of FW-1's NAT "Hiding", DNS communication to certain Internet sites
(i.e. APPLE.COM) from my company's internal network is broken.  A layman's
overview of the DNS process failure is as follows:

1.  Internal user wishes to connect to www.apple.com.
2.  Internal user's computer does not know www.apple.com's IP address.
3.  Internal user's computer make a DNS "Look-up" request to a
pre-configured internal DNS server.
4.  Internal DNS server does not have www.apple.com in its local database.
5.  Internal DNS server makes a "look-up" request to a Top-Level Internet
DNS server.  This is commonly referred to as "Forwarding".
6.  Internal DNS server is provided with an Apple DNS server's IP address,
as provided by the InterNic.
7.  Internal DNS server contacts an Apple DNS server and requests a
"Look-up" translation of www.apple.com.
8.  Internal DNS server's request is dropped (or possibly denied) because it
has been translated to a non-standard port (DNS is port 53, but has been
translated to a random port between 600-1023).

Note:  The DNS communication is NOT broken if the Internal user is using an
external DNS server for DNS requests (even from behind the firewall).  The
DNS "Look-up / Forwarding" failure is only between the Internal DNS server
and the Apple DNS server.

Possible solutions to the problem?:

1.  Can CheckPoint (the maker of FW-1) fix this problem?  Have they already
in a product update?
2.  Can Internal DNS servers perform "Look-up / Forwarding" through a Static
NAT for all DNS requests or per DNS server?|



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
Prev by Date: RE: [FW1] FTP rejects
Next by Date: [FW1] NAV and Checkpoint FireWall-1 4.0
Prev by thread: Re: [FW1] Firewall-1 NAT/DNS issue
Next by thread: Re: [FW1] Firewall-1 NAT/DNS issue
Index(es):
- Date
- Thread