How to Change DNS in Check Point Firewall Using Clish
Introduction
DNS (Domain Name System) is a critical component of any network infrastructure, including Check Point Firewalls. Configuring the correct DNS server ensures the firewall can resolve hostnames for threat intelligence updates, SmartConsole connectivity, URL filtering, and other dependent services.
In this article, we will walk through how to view and change DNS settings on a Check Point Firewall using Clish (Check Point's Gaia command-line shell), verify DNS traffic using tcpdump, and troubleshoot cases where the firewall continues using the old DNS by managing the WSDNSD service.
Prerequisites
- SSH or console access to the Check Point Firewall or Security Management Server
- Admin credentials with Clish and Expert mode privileges
- The new DNS server IP address(es) ready to configure
- Basic familiarity with the Check Point Gaia CLI
Step 1 — Check Current DNS Configuration
Before making any changes, always verify the existing DNS configuration. Log in to the firewall via SSH and enter Clish mode. Run either of the following commands to display the current DNS settings:
Displays the full DNS configuration block as stored in the Gaia running configuration:
show configuration dns
Sample output:
set dns primary 8.8.8.8 set dns secondary 8.8.4.4 set dns tertiary set dns suffix example.local
Displays a concise summary of the currently active DNS resolver settings:
show dns
Sample output:
primary : 8.8.8.8
secondary : 8.8.4.4
tertiary :
suffix : example.local
Note down the existing DNS values before making any changes so you can revert if needed.
Step 2 — Set the New DNS Servers
Use the following set dns commands in Clish to configure the primary, secondary, and tertiary DNS servers.
You can set up to three DNS servers for redundancy:
set dns primary 192.168.1.10
set dns secondary 192.168.1.11
set dns tertiary 8.8.8.8
Replace the IP addresses above with your actual internal or ISP-provided DNS server addresses. Setting a public DNS like 8.8.8.8 as tertiary ensures fallback resolution if internal DNS servers are unreachable.
Step 3 — Save the Configuration
After setting the new DNS values, save the configuration to make the changes persistent across reboots. Run the following command in Clish:
save config
You should see a confirmation message similar to:
Configuration saved.
Always run save config after making changes in Clish. Without this step, all changes will be lost after a reboot.
Step 4 — Verify DNS Traffic Using tcpdump
After the DNS change, confirm that DNS queries are now going to the new DNS server and not the old one. The most reliable way to verify this in real time is by capturing traffic on port 53 (the standard DNS port) using tcpdump from Expert mode.
First, switch to Expert mode from Clish:
expert
Then run the following command to capture live DNS traffic across all interfaces:
tcpdump -nnpi any port 53
Sample output showing DNS queries going to the new server:
12:04:31.123456 IP 192.168.1.1.49152 > 192.168.1.10.53: A? google.com. 12:04:31.145678 IP 192.168.1.10.53 > 192.168.1.1.49152: A google.com. 142.250.183.78
Look at the destination IP in the output. If DNS queries are still reaching the old server IP, proceed to the Troubleshooting section below to restart the WSDNSD service.
Press Ctrl + C to stop the tcpdump capture once you have confirmed the DNS traffic destination.
Troubleshooting — DNS Still Using Old Server After Change
If the tcpdump output shows DNS queries are still going to the old DNS server after the configuration change and save, the WSDNSD daemon (Check Point's DNS service) is likely still running with the old configuration cached in memory. You need to stop and restart this daemon manually.
All commands below must be run from Expert mode.
Check the current status of the WSDNSD service using cpwd_admin:
cpwd_admin list | grep -E "APP|WSDNSD"
Sample output:
APP PID STAT #START START_TIME WSDNSD 3421 E 1 Mon Jan 6 10:22:01 2025
The STAT column shows E meaning the process is executing (running). If it shows S (stopped) or is missing from the list, the service is not active.
Stop the WSDNSD daemon using the following command:
cpwd_admin stop -name WSDNSD -path "$FWDIR/bin/wsdnsd" -command "kill -SIGTERM $(pidof $FWDIR/bin/wsdnsd)"
Stopping WSDNSD will temporarily pause DNS resolution handled by the Check Point daemon. Perform this during a maintenance window where possible to minimise any service impact.
After stopping the service, start WSDNSD again so it reloads with the updated DNS configuration:
cpwd_admin start -name WSDNSD -path "$FWDIR/bin/wsdnsd" -command "wsdnsd"
The WSDNSD daemon will now start fresh and pick up the new DNS server settings saved in the Gaia configuration.
Confirm that WSDNSD is running again after the restart:
cpwd_admin list | grep -E "APP|WSDNSD"
Then run tcpdump once more to confirm DNS queries are now going to the new server:
tcpdump -nnpi any port 53
If the destination IP in the tcpdump output now matches your new DNS server IP, the configuration is working correctly.
Quick Reference — All DNS Commands
The table below summarises every command covered in this article along with its purpose and the mode it must be run in:
| Command | Purpose | Mode |
|---|---|---|
show configuration dns |
Display saved DNS configuration | Clish |
show dns |
Display active DNS summary | Clish |
set dns primary <IP> |
Set primary DNS server | Clish |
set dns secondary <IP> |
Set secondary DNS server | Clish |
set dns tertiary <IP> |
Set tertiary (fallback) DNS server | Clish |
save config |
Persist all configuration changes | Clish |
tcpdump -nnpi any port 53 |
Capture live DNS traffic to verify server | Expert |
cpwd_admin list | grep -E "APP|WSDNSD" |
Check WSDNSD DNS service status | Expert |
cpwd_admin stop -name WSDNSD ... |
Stop the WSDNSD DNS daemon | Expert |
cpwd_admin start -name WSDNSD ... |
Start the WSDNSD DNS daemon | Expert |
Additional Reference
For a comprehensive list of all Check Point processes and daemons — including WSDNSD — and guidance on how to safely manage them, refer to the official Check Point Support article:
SK97638 — Check Point Processes and Daemons
https://support.checkpoint.com/results/sk/sk97638
This Check Point SK article provides detailed information on all system daemons, their roles, restart procedures, and known behaviours — highly recommended for anyone managing Check Point appliances.
Conclusion
Changing DNS on a Check Point Firewall using Clish is straightforward — verify the current settings, apply the new DNS server IPs, and save the configuration. Always use tcpdump on port 53 to confirm that DNS queries are going to the correct server after the change.
If the firewall continues sending DNS traffic to the old server, the WSDNSD daemon must be
stopped and restarted using cpwd_admin so it reloads with the updated configuration.
A final tcpdump run confirms everything is working correctly.
Always verify DNS traffic with tcpdump after making changes — saving the configuration alone does not guarantee the WSDNSD daemon has picked up the new settings without a restart.