Firewall Wizards mailing list archives
Re: Allowing DNS servers to operate behind NetScreen 500
From: "Ben Nagy" <ben () iagu net>
Date: Tue, 4 Feb 2003 09:11:55 +0100
Sorry, argumentative this morning... ----- Original Message ----- From: "David Klein" <dklein () netscreen com> [...]> > ... Ideally I'd like
something akin to UDP connection tracking, where an outgoing DNS request installs a time-limited rule which allows the reply to traverse the firewall in the opposite direction.By default, Netscreens implement a DNS ALG (Appl Level Gateway) to do just this. However, it will only allow one UDP packet (DNS response) to the original DNS request that went out. I've seen problems when multiple UDP packets come back to the same DNS request. Or if the DNS server sends multiple DNS requests to the same IP address without changing the source port for each query. This will also confuse the DNS ALG.
That doesn't make sense. A proxy doesn't let responses through at all - it "proxies" the connection, maintaining a UDP "connection" itself with the "outside" DNS server and another with the DNS "client", using a giant "laser". The classic DNS ALG is, in fact, a caching DNS server. So, is this a real ALG, or is it some UDP plug proxy that knows a few state-like rules to deal with packets that look like DNS? (or is it not a proxy at all?)
There are a couple of things to try: set flow allow-dns-reply save This will allow a dns reply pkt without a matching request.
Is that the equivalent of allowing any incoming UDP from port 53?
You may also want to try the command: set dns udp-session-normal save which should allow for normal UDP handling of DNS packets (i.e., more then one inbound reply packet can match the session setup by the outbound query packet).
We've been over DNS so many times on this list, I really should have it burned into my brain, but responses that don't fit into one 512 byte UDP packet are supposed to be transmitted with TCP, not transmitted in multiple UDP packets, yes? Also, I was under the impression that 53 is a legal source port for server-to-server queries, whether TCP or UDP. This would mean that you would often see packets from the same port to the same external IP. Of course a true proxy would have no trouble keeping state in that situation, since every request is different... In any case, it's the responsibility of the proxy to get a response and pass that to the client, and if the "only the first packet gets through" theory were true then DNS should work, since all the info should be in the first packet.
Dave Klein
Something don't add up. ben _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Allowing DNS servers to operate behind NetScreen 500 Gebhart, Glenn (Feb 03)
- <Possible follow-ups>
- RE: Allowing DNS servers to operate behind NetScreen 500 David Klein (Feb 03)
- Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 13)
- Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- RE: Allowing DNS servers to operate behind NetScreen 500 David Klein (Feb 04)
- Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- RE: Allowing DNS servers to operate behind NetScreen 500 Reckhard, Tobias (Feb 14)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 14)
- Re: Allowing DNS servers to operate behind NetScreen 500 tqbf (Feb 15)
- Re: Allowing DNS servers to operate behind NetScreen 500 Paul D. Robertson (Feb 15)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 15)
- Re: DNS vs. Bernstein tqbf (Feb 15)
- Re: DNS and Firewalls Rob Payne (Feb 20)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 14)