Firewall Wizards mailing list archives

RE: Allowing DNS servers to operate behind NetScreen 500

From: David Klein <dklein () netscreen com>
Date: Mon, 3 Feb 2003 11:07:49 -0800

Glenn,

... Ideally I'd like 
something akin to UDP connection tracking, where an outgoing 
DNS request installs a time-limited rule which allows the 
reply to traverse the firewall in the opposite direction.


By default, Netscreens implement a DNS ALG (Appl Level Gateway) to do just
this.  However, it will only allow one UDP packet (DNS response) to the
original DNS request that went out.  I've seen problems when multiple UDP
packets come back to the same DNS request.  Or if the DNS server sends
multiple DNS requests to the same IP address without changing the source
port for each query.  This will also confuse the DNS ALG.  

There are a couple of things to try:
    set flow allow-dns-reply
    save
This will allow a dns reply pkt without a matching request.
 
You may also want to try the command:
    set dns udp-session-normal
    save
which should allow for normal UDP handling of DNS packets (i.e., more then
one inbound reply packet can match the session setup by the outbound query
packet).  

Dave Klein

-----Original Message-----
From: Gebhart, Glenn [mailto:GGebhart () chartercom com] 
Sent: Monday, February 03, 2003 12:23 PM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500

All -

I have several DNS servers situated behind a NetScreen 500. 
As currently configured, the servers are able to send 
outbound resolution requests, but inbound resolution replies 
appear to be getting blocked by the firewall. 

The best solution I've been able to find so far is to allow 
all incoming UDP traffic to the DNS servers w/ source port 53 
and dest port > 1024. For fairly obvious reasons I'd prefer 
not to implement such a broad rule. 

Does anyone have a better suggestion? Ideally I'd like 
something akin to UDP connection tracking, where an outgoing 
DNS request installs a time-limited rule which allows the 
reply to traverse the firewall in the opposite direction.

Any help is greatly appreciated.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Allowing DNS servers to operate behind NetScreen 500 Gebhart, Glenn (Feb 03)
- <Possible follow-ups>
- RE: Allowing DNS servers to operate behind NetScreen 500 David Klein (Feb 03)
  - Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
    - Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 13)
- RE: Allowing DNS servers to operate behind NetScreen 500 David Klein (Feb 04)
  - Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- RE: Allowing DNS servers to operate behind NetScreen 500 Reckhard, Tobias (Feb 14)
  - Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 14)
    - Re: Allowing DNS servers to operate behind NetScreen 500 tqbf (Feb 15)
    - Re: Allowing DNS servers to operate behind NetScreen 500 Paul D. Robertson (Feb 15)
    - Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 15)
    - Re: DNS vs. Bernstein tqbf (Feb 15)

(Thread continues...)