SRX Services Gateway
SRX Services Gateway

SRX 3600 blocking EDNS packets

[ Edited ]
‎01-18-2019 12:05 PM

Hi All,

 

We have a SRX 3600 running 12.1X46-D25.7 and we are having issues with our DNS servers behind it. We are trying to make sure our DNS servers are EDNS compliant but testing EDNS is showing timeouts on our NS servers that are behind the SRX. We have 4 total NS servers and they are all running the same version of Bind, but 2 of them are behind the SRX and those 2 are fialing so we suspect the SRX is blocking the EDNS packets. My policies allow for udp 53 traffic from any source to the server but the tool we use to check for EDNS is showing a timeout regardless of what rules we configure and we are not using ALGs. What log can be configured to see if this is really happening?

 

TIA,

Max

7 REPLIES 7
SRX Services Gateway

Re: SRX 3600 blocking EDNS packets

‎01-18-2019 07:42 PM

And if you allow tcp/53? Your EDNS packets are likely larger then the spec allows for UDP (512 bytes?)

Highlighted
SRX Services Gateway

Re: SRX 3600 blocking EDNS packets

‎01-28-2019 06:28 AM

I just wanted to ask if Juniper TAC have been able to shed any light on this, or is you had been able to progress this issue.

 

We have a pair of SRX5600 firewalls in a cluster, and are seeing what may be the same issue.

 

When testing <https://protect-eu.mimecast.com/s/AdHeCL90XcPv6PZcBMNCU?domain=ednscomp.isc.org>

We get edns1=timeout  edns1opt=timeout optlist=timeout

 

I am about to raise a case to Juniper and just wanted to see if you had been able to progress this issue.

 

Best regards

 

Andrew

 

SRX Services Gateway

Re: SRX 3600 blocking EDNS packets

‎01-28-2019 06:46 AM

Have you tried disabling DNS doctoring and sanity-check of DNS packets?

I would expect sanity-check to drop eDNS packets.

 

user@fw# show |compare
[edit security]
+   alg {
+       dns {
+           doctoring {
+               none;
+           }
+       }
+   }

Alternatively just disable the DNS alg completely:

user@fw# show |compare
[edit security]
+   alg {
+       dns disable;
+   }

More about the DNS alg: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-dns-algs.html


--
Best regards,

Jonas Hauge Klingenberg
Juniper Ambassador & Technology Architect, SEC DATACOM A/S (Denmark)
SRX Services Gateway

Re: SRX 3600 blocking EDNS packets

‎01-28-2019 06:47 AM

Older versions of SRX will drop EDNS packet by default. It is resolved in 15.1X49-D160 17.4R3 18.1R3 18.1R4 18.2R2 18.2R3 18.3R1 18.3R2 18.4R1 18.4R2 . The workaround is to disable DNS doctoring via # "set security alg dns doctoring none"

Please go through this PR for more details: https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1379433

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: SRX 3600 blocking EDNS packets

‎01-29-2019 06:30 PM

Hi,

 

On you SRX3600 the EDNS packets will be dropped due to PR1379433

 

The issue will be fixed for your SRX model on version 12.3X48-D80 that will be release on February 21st (tentative) and in the meantime you can use the workaround suggested in the PR's details.

 

set security alg dns doctoring none
Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
SRX Services Gateway

Re: SRX 3600 blocking EDNS packets

‎01-30-2019 04:13 AM

After a firmware update to 15.1X49-D160.2 on an SRX5400 edns1 edns1opt still displays timeout on the EDNS Compliance Tester. optlist is now displaying ok.

 

If I turn of DNS Doctoring then it passes with no problems.

SRX Services Gateway

Re: SRX 3600 blocking EDNS packets

‎01-31-2019 08:53 AM

Oficial information from Juniper:

 

https://kb.juniper.net/InfoCenter/index?page=content&id=TSB17513&cat=&actp=LIST&showDraft=false

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!