ScreenOS Firewalls (NOT SRX)
Reply
Visitor
gauser
Posts: 5
Registered: ‎04-13-2009
0

Slow DNS Resolution with SSG 550M

[ Edited ]

We are having an issue with slow DNS resolution with SSG 550M.   We are running version 6.1 r5. 

 

Here is our setup.  It is pretty straightforward:

 

Trust:  22.255.xxx.xxx/16

Untrust: 167.102.242.130/27

 

There is a rule to allow <Trust to Untrust> HTTP-HTTPs traffic.  This rule works.

 

There is another rule to allow internal DNS servers (i.e. 22.255.xxx.xxx) to ANY.  The DNS ALG is set to ignore.

 

Internal clients in the 22.255.xxx.xxx subnet have TCP/IP gateway pointing to the internal interface of the SSG 550.  The internal clients DNS points to internal Microsoft DNS servers.  The Microsoft DNS servers have a forwarder that points to the internal interface of firewall.  We are not using the DNS proxy on the SSG.

 

DNS resolution works through SSG but is very slow.

 

Any suggestions as to what to look for, etc?  It seems that modifying DNS timeout impacts behavior slightly (i.e. speeds up resolution a tad).  We are new to Juniper, so any help is appreciated.

Message Edited by gauser on 05-20-2009 09:32 AM
Message Edited by gauser on 05-20-2009 09:32 AM
Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 789
Registered: ‎07-26-2008
0

Re: Slow DNS Resolution with SSG 550M

Can you explain this in more detail:

he Microsoft DNS servers have a forwarder that points to the internal interface of firewall. 

 

The DNS ALG  actually is useful in some situations as it speeds up the session clean up. If you turn off the ALG, the sessions may take longer to age out than usual.

 

But, I have seen many customers with the DNS setup. Can you run some debugs on the firewall just to check?

 

set ff src-ip X.X.X.X dst-port 53

set ff dst-ip X.X.X.X src-port 53 (X is Ip of a client)

debug flow basic

-> try nslookup

undebug all

get db str (post this)

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Visitor
gauser
Posts: 5
Registered: ‎04-13-2009
0

Re: Slow DNS Resolution with SSG 550M

Can you explain this in more detail:

he Microsoft DNS servers have a forwarder that points to the internal interface of firewall. 

 

Response:  In the TCP/IP settings on our internal clients, the primary and secondary DNS fields are configured to point to two internal Windows 2003 DNS servers located on the Trust network.  So, if the client wants an internal resource (i.e. serverA.ourdomain.net) on the trust side, the Windows DNS server resolves this request for this internal resource.  If the client wants an external resource (i.e. www.google.com), the internal DNS server has a "forwarder" setting.  The DNS fowarder points to the internal IP of the Juniper firewall, so the DNS request for www.google. com is forwarded to the Juniper firewall.  I hope this provides more detail.  Sorry, but DNS is not my strong point.

 

I am just wondering if the slowness in resolving Web pages is a more fundamental issue--as in we should be using the DNS proxy feature on Juniper??

 

We have been testing the new Juniper firewall in the early AM, and then roll back to our old firewall.  So, I will be able to capture and post debug on Thursday AM.

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 789
Registered: ‎07-26-2008
0

Re: Slow DNS Resolution with SSG 550M

I think you may be better off with the proxy dns setup. Check out the guide to see how to split the DNS traffic:

 

http://www.juniper.net/techpubs/software/screenos/screenos6.2.0/ce_v2.pdf

Pg 227 Chpt 8 (System Parameters)


That way, you can split the internal and external DNS traffic.

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Visitor
gauser
Posts: 5
Registered: ‎04-13-2009
0

Re: Slow DNS Resolution with SSG 550M

Hello:

 

I just wanted to give an update and seek additional feedback.  As I mentioned before, we have two Windows 2003 DNS internal servers.  These DNS servers resolve internal host names and if a request is made for www.google.com (for example), the 2003 DNS servers rely on "forwarders" to send the request the internal IP address of the firewall.  This worked with our old Symantec Gateway 5440.  We used the DNS proxy feature on the 5440, and the DNS servers did not access Internet directly.  I apologize once again that DNS not my strong point. 

 

 We have discovered with the SSG 550M that DNS resolution is incredibly slow when we use the Windows 2003 forwarders.  However, if we remove the forwarders and rely on the root hints, DNS resolution is fine.  Our concern is that by using the root hints, we are allowing our internal DNS servers direct access to the Internet (through a policy on the SSG 550 M limited to the DNS service).

 

As a follow-up, can the SSG 550M be configured as a DNS caching server?  We have read that the secure way to implement our DNS is to configure our internal DNS servers to point to a DNS caching server.  Or, from experience, have other people allowed their internal DNS servers direct access to Internet through Juniper firewall?

 

thanks again

Visitor
gauser
Posts: 5
Registered: ‎04-13-2009
0

Re: Slow DNS Resolution with SSG 550M

Just wanted to give one last update--Problem has been resolved.

 

We resolved the issue by configuring the DNS Proxy on the SSG 550M.  Turns out there is a "DNS Proxy" checkbox on the Trust interface which we missed.  Once we checked this box, the DNS name resolution worked as expected.  That is our internal DNS servers forwarded request such as www.google.com to firewall and firewall would serve as DNS proxy.  Also removed policy allowing internal DNS servers access to Internet.

 

Thanks to all!

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.