We have a SRX 3600 running 12.1X46-D25.7 and we are having issues with our DNS servers behind it. We are trying to make sure our DNS servers are EDNS compliant but testing EDNS is showing timeouts on our NS servers that are behind the SRX. We have 4 total NS servers and they are all running the same version of Bind, but 2 of them are behind the SRX and those 2 are fialing so we suspect the SRX is blocking the EDNS packets. My policies allow for udp 53 traffic from any source to the server but the tool we use to check for EDNS is showing a timeout regardless of what rules we configure and we are not using ALGs. What log can be configured to see if this is really happening?
Older versions of SRX will drop EDNS packet by default. It is resolved in 15.1X49-D160 17.4R3 18.1R3 18.1R4 18.2R2 18.2R3 18.3R1 18.3R2 18.4R1 18.4R2 . The workaround is to disable DNS doctoring via # "set security alg dns doctoring none"