Checkpoint and dns lookups

Anyone know how Checkpoint products do their DNS lookups? Quite often I can look at a log, see an IP-name and then go do a lookup online and the name-ip pairings are different. so it will say a user visited google.com (191.32.16.2) when I do a lookup online of google.com it resolves to 74.125.228.199. So what is checkpoint doing here?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

DevilWAH

Check point is probable doing a reverse look up (IP to name). Where as you are doing a forward look up ( name to IP). Google will have lots of ip's maped to the same name, and depending how they have it set up for load balancing when you do a look up you will get one of these addresses returned. Google will use intelligent load balancing so you get the IP address of a server near you and often it will "stick", to your client so if you domany look ups from a single client you always get the same IP.
Try doing an nslook up from the command line on your PC for both addresses. " nslookup 192.16.45.7" etc. This will give you the dns name "first" that the owner has in there DNS config. Same way you can have a single name pointed to many ip' s for load balancing. You can have many names to one IP for things like multiple web servers on single host.

DevilWAH

And I see you mentioned you do the lookup on line. For global companies where you do the look up from is important. When trouble shooting always do the look up from the same IP addesss . load balancing for DNS takes in to consideration of where you are coming from and talyors the responce . so if you cmong from a UK IP address you get a UK server IP in response. Us and you get a us sever IP. And in it will also be further loclised with in a country. F5 have a product call bigIP that is built for this. There is a good video on there site outlining how it works and what its for with out going I. To to much technical depth.