How CheckPoint SmartDefense broke Windows 2008 R2 DNS

CheckPoint logo Microsoft changed some part of DNS in Windows 2008 R2, as one of our customers found out when they upgraded their (Windows 2008 based) DNS servers to R2.

Upgraded Windows 2008 R2 servers = No DNS Servers.

That is a bad thing, not having DNS available, as best practice for years now has been:

“Don’t link to a computer’s IP address, link to it’s computer name (and DNS will do the rest).”

So when the customer lost their DNS servers, they couldn’t log onto the network, as their desktop computers couldn’t find a server.

And in my little bit of the support empire, customer’s couldn’t receive emails on their BlackBerries.  The BlackBerry Server couldn’t find the Email server, so no messages were being delivered.

The short-term fix? Adding the mail server IP address to the BlackBerry Server HOSTS file, got the mail flowing again.  The long-term fix? Stop the CheckPoint SmartDefense product from checking the DNS protocol.

(it’s a shame the customer can’t use OpenDNS, which I wrote about here.)

Update:
And the prize goes to The Angry Technician, who wondered about how CheckPoint would interact with DNSSEC.  DNSSEC support was introduced in Windows 2008 R2 …

Bookmark and Share

Comments are closed.