Re: Allowing DNS servers to operate behind NetScreen 500

["Ben Nagy" <ben () iagu net>]

Sorry, argumentative this morning...

----- Original Message -----
From: "David Klein" <dklein () netscreen com>
[...]> > ... Ideally I'd like
> > something akin to UDP connection tracking, where an outgoing
> > DNS request installs a time-limited rule which allows the
> > reply to traverse the firewall in the opposite direction.
>
> By default, Netscreens implement a DNS ALG (Appl Level Gateway) to do just
> this.  However, it will only allow one UDP packet (DNS response) to the
> original DNS request that went out.  I've seen problems when multiple UDP
> packets come back to the same DNS request.  Or if the DNS server sends
> multiple DNS requests to the same IP address without changing the source
> port for each query.  This will also confuse the DNS ALG.

That doesn't make sense. A proxy doesn't let responses through at all -  it
"proxies" the connection, maintaining a UDP "connection" itself with the
"outside" DNS server and another with the DNS "client", using a giant
"laser". The classic DNS ALG is, in fact, a caching DNS server.

So, is this a real ALG, or is it some UDP plug proxy that knows a few
state-like rules to deal with packets that look like DNS? (or is it not a
proxy at all?)

> There are a couple of things to try:
>     set flow allow-dns-reply
>     save
> This will allow a dns reply pkt without a matching request.

Is that the equivalent of allowing any incoming UDP from port 53?

> You may also want to try the command:
>     set dns udp-session-normal
>     save
> which should allow for normal UDP handling of DNS packets (i.e., more then
> one inbound reply packet can match the session setup by the outbound query
> packet).

We've been over DNS so many times on this list, I really should have it
burned into my brain, but responses that don't fit into one 512 byte UDP
packet are supposed to be transmitted with TCP, not transmitted in multiple
UDP packets, yes? Also, I was under the impression that 53 is a legal source
port for server-to-server queries, whether TCP or UDP. This would mean that
you would often see packets from the same port to the same external IP. Of
course a true proxy would have no trouble keeping state in that situation,
since every request is different...

In any case, it's the responsibility of the proxy to get a response and pass
that to the client, and if the "only the first packet gets through" theory
were true then DNS should work, since all the info should be in the first
packet.

> Dave Klein

Something don't add up.

ben

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards