EDNS Compliance

末松 慶文 yo_suematsu at qtnet.co.jp
Mon Jan 28 16:45:43 UTC 2019 

Hi Max

ALG seems to be managing sessions.
Specifically, if the DNS query packet is the first packet
After creating a session and receiving a DNS responce packet
The session seems to be closed with ALG.

It is thought that attention is needed when ALG is disable.
If ALG is disable, the session will be maintained until UDP timeout (1 minute).

I do not have any further information. If detailed information is necessary, I recommend that you contact Juniper support.

--
Yoshibumi Suematsu
QTnet, Inc.

From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of nmaxpierson at gmail.com<mailto:nmaxpierson at gmail.com>
Sent: Sunday, January 20, 2019 2:46 AM
To: Crist Clark <cjc+bind-users at pumpky.net<mailto:cjc+bind-users at pumpky.net>>
Cc: bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
Subject: [社外から受信](送信者確認)Re: EDNS Compliance

I just reconfigured our SRX and everything seems to be working now. I wasn’t aware that some alg’s were enabled by default so thank you for pointing that out.

Regards,
Max
--
Sent via mobile

On Jan 18, 2019, at 9:22 PM, Crist Clark <cjc+bind-users at pumpky.net<mailto:cjc+bind-users at pumpky.net>> wrote:
In SRX speak:

  # set security alg dns disable

To verify status of DNS and other ALGs:

  show security alg status

The DNS ALG is one of those enabled by default and must be explicitly disabled to turn it off.


On Fri, Jan 18, 2019 at 1:14 PM N. Max Pierson <nmaxpierson at gmail.com<mailto:nmaxpierson at gmail.com>> wrote:
The 2 servers that pass the check are behind an old Cisco FWSM so I know it at least works. Hopefully that code carried over to the ASA and won't give us any problems but if it does, I have the option of moving these servers directly to the internet and I can configure iptables for any filtering we need.

As far as any option in the SRX, I do not see any configuration options to disable the version check for EDNS as you suggested. I have a couple of posts on Juniper forms/mailing lists to see if I get anyone familiar with these options but for the moment we are just using the SRX as a packet filter with no ALGs so we may be out of luck.

Regards,
Max

Regards,
Max

On Fri, Jan 18, 2019 at 3:07 PM Mark Andrews <marka at isc.org<mailto:marka at isc.org>> wrote:
I can’t remember if Cisco ASA has a similar issue.  Checkpoint does have similar
issues (EDNS version != 0 and EDNS flags) last time I checked.  Checkpoint were
thinking of changing the defaults.  You just need to turn off the setting on the
Juniper.  It really shouldn’t be on by default as it doesn’t do anything useful.

> On 19 Jan 2019, at 7:52 am, N. Max Pierson <nmaxpierson at gmail.com<mailto:nmaxpierson at gmail.com>> wrote:
>
> I was just trying to figure out how I could log this but since the logging would only probably show if something didn't match udp 53 on the server IP it probably wouldn't match the block-any catch-all log I configured. I will certainly bring this up to our Juniper rep but in the meantime, I have a spare Cisco ASA I am going to migrate these subnets to and see if that fixes the timeouts we are experiencing.
>
>  Mark, thank you for your explanation. And if anyone knows someone at Juniper you may want to mention this to them as if they do not fix it before flag day, a lot of queries will be broken.
>
> Regards,
> Max
>
> On Fri, Jan 18, 2019 at 2:42 PM Mark Andrews <marka at isc.org<mailto:marka at isc.org>> wrote:
> This is the signature of a Juniper firewall which drops EDNS version != 0 and
> packet with a NSID option present.  Dropping EDNS version != 0 just breaks
> future interoperability and as already impacted of EDNS development as the
> RFC 6891 would have included a EDNS version bump except for these stupid
> firewalls dropping EDNS version != 0.  NSID is used to identify a server
> in a anycast cluster and the information is not returned unless the operator
> has configured the server to return it.  There is no need for a firewall to
> drop queries with these properties.
>
> Please file a bug report with Juniper.
>
> Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190128/30be70d6/attachment.html>

More information about the bind-users mailing list