Firewall Wizards mailing list archives
RE: Allowing DNS servers to operate behind NetScreen 500
From: David Klein <dklein () netscreen com>
Date: Mon, 3 Feb 2003 11:07:49 -0800
Glenn,
... Ideally I'd like something akin to UDP connection tracking, where an outgoing DNS request installs a time-limited rule which allows the reply to traverse the firewall in the opposite direction.
By default, Netscreens implement a DNS ALG (Appl Level Gateway) to do just this. However, it will only allow one UDP packet (DNS response) to the original DNS request that went out. I've seen problems when multiple UDP packets come back to the same DNS request. Or if the DNS server sends multiple DNS requests to the same IP address without changing the source port for each query. This will also confuse the DNS ALG. There are a couple of things to try: set flow allow-dns-reply save This will allow a dns reply pkt without a matching request. You may also want to try the command: set dns udp-session-normal save which should allow for normal UDP handling of DNS packets (i.e., more then one inbound reply packet can match the session setup by the outbound query packet). Dave Klein
-----Original Message----- From: Gebhart, Glenn [mailto:GGebhart () chartercom com] Sent: Monday, February 03, 2003 12:23 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500 All - I have several DNS servers situated behind a NetScreen 500. As currently configured, the servers are able to send outbound resolution requests, but inbound resolution replies appear to be getting blocked by the firewall. The best solution I've been able to find so far is to allow all incoming UDP traffic to the DNS servers w/ source port 53 and dest port > 1024. For fairly obvious reasons I'd prefer not to implement such a broad rule. Does anyone have a better suggestion? Ideally I'd like something akin to UDP connection tracking, where an outgoing DNS request installs a time-limited rule which allows the reply to traverse the firewall in the opposite direction. Any help is greatly appreciated. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Allowing DNS servers to operate behind NetScreen 500 Gebhart, Glenn (Feb 03)
- <Possible follow-ups>
- RE: Allowing DNS servers to operate behind NetScreen 500 David Klein (Feb 03)
- Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 13)
- Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- RE: Allowing DNS servers to operate behind NetScreen 500 David Klein (Feb 04)
- Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- RE: Allowing DNS servers to operate behind NetScreen 500 Reckhard, Tobias (Feb 14)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 14)
- Re: Allowing DNS servers to operate behind NetScreen 500 tqbf (Feb 15)
- Re: Allowing DNS servers to operate behind NetScreen 500 Paul D. Robertson (Feb 15)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 15)
- Re: DNS vs. Bernstein tqbf (Feb 15)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 14)