Hi Max ALG seems to be managing sessions. Specifically, if the DNS query packet is the first packet After creating a session and receiving a DNS responce packet The session seems to be closed with ALG.
It is thought that attention is needed when ALG is disable. If ALG is disable, the session will be maintained until UDP timeout (1 minute). I do not have any further information. If detailed information is necessary, I recommend that you contact Juniper support. -- Yoshibumi Suematsu QTnet, Inc. From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of nmaxpier...@gmail.com<mailto:nmaxpier...@gmail.com> Sent: Sunday, January 20, 2019 2:46 AM To: Crist Clark <cjc+bind-us...@pumpky.net<mailto:cjc+bind-us...@pumpky.net>> Cc: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> Subject: [社外から受信](送信者確認)Re: EDNS Compliance I just reconfigured our SRX and everything seems to be working now. I wasn’t aware that some alg’s were enabled by default so thank you for pointing that out. Regards, Max -- Sent via mobile On Jan 18, 2019, at 9:22 PM, Crist Clark <cjc+bind-us...@pumpky.net<mailto:cjc+bind-us...@pumpky.net>> wrote: In SRX speak: # set security alg dns disable To verify status of DNS and other ALGs: show security alg status The DNS ALG is one of those enabled by default and must be explicitly disabled to turn it off. On Fri, Jan 18, 2019 at 1:14 PM N. Max Pierson <nmaxpier...@gmail.com<mailto:nmaxpier...@gmail.com>> wrote: The 2 servers that pass the check are behind an old Cisco FWSM so I know it at least works. Hopefully that code carried over to the ASA and won't give us any problems but if it does, I have the option of moving these servers directly to the internet and I can configure iptables for any filtering we need. As far as any option in the SRX, I do not see any configuration options to disable the version check for EDNS as you suggested. I have a couple of posts on Juniper forms/mailing lists to see if I get anyone familiar with these options but for the moment we are just using the SRX as a packet filter with no ALGs so we may be out of luck. Regards, Max Regards, Max On Fri, Jan 18, 2019 at 3:07 PM Mark Andrews <ma...@isc.org<mailto:ma...@isc.org>> wrote: I can’t remember if Cisco ASA has a similar issue. Checkpoint does have similar issues (EDNS version != 0 and EDNS flags) last time I checked. Checkpoint were thinking of changing the defaults. You just need to turn off the setting on the Juniper. It really shouldn’t be on by default as it doesn’t do anything useful. > On 19 Jan 2019, at 7:52 am, N. Max Pierson > <nmaxpier...@gmail.com<mailto:nmaxpier...@gmail.com>> wrote: > > I was just trying to figure out how I could log this but since the logging > would only probably show if something didn't match udp 53 on the server IP it > probably wouldn't match the block-any catch-all log I configured. I will > certainly bring this up to our Juniper rep but in the meantime, I have a > spare Cisco ASA I am going to migrate these subnets to and see if that fixes > the timeouts we are experiencing. > > Mark, thank you for your explanation. And if anyone knows someone at Juniper > you may want to mention this to them as if they do not fix it before flag > day, a lot of queries will be broken. > > Regards, > Max > > On Fri, Jan 18, 2019 at 2:42 PM Mark Andrews > <ma...@isc.org<mailto:ma...@isc.org>> wrote: > This is the signature of a Juniper firewall which drops EDNS version != 0 and > packet with a NSID option present. Dropping EDNS version != 0 just breaks > future interoperability and as already impacted of EDNS development as the > RFC 6891 would have included a EDNS version bump except for these stupid > firewalls dropping EDNS version != 0. NSID is used to identify a server > in a anycast cluster and the information is not returned unless the operator > has configured the server to return it. There is no need for a firewall to > drop queries with these properties. > > Please file a bug report with Juniper. > > Mark
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
