Knowledge Search


×
 

[SRX] How to allow EDNS queries to pass through the SRX firewall with DNS ALG enabled

  [KB23569] Show Article Properties


Summary:
This article provides information how to allow the EDNS queries pass through the SRX firewall, with DNS ALG enabled.
Symptoms:
  • The basic DNS protocol is not sufficient to support some required features. Moreover, DNS messages carried by UDP were restricted to 512 bytes; not considering the Internet Protocol (IP) and Transport Layer headers.

  • EDNS (Extension mechanisms for DNS) is a specification for expanding the size of several parameters of the Domain Name System (DNS) protocol, which had prior size restrictions.

  • In practice, difficulties can arise when using EDNS to traverse firewalls, as certain firewalls assume a maximum DNS message length of 512 bytes and block longer DNS packets.

  • EDNS (as per RFC 2671) queries are dropped by the SRX firewall, with DNS ALG enabled.
Cause:

Solution:

To allow EDNS queries to pass through the SRX firewall, with DNS ALG enabled, run the following command from the configuration mode:

user# set security alg dns maximum-message-length 8192

Note: The above setting is valid only from 10.1 or later, to 10.2. From 10.2 onwards, the limitation of 512 bytes will be removed; so the above command will no longer be required from 10.2 or later.



Related Links: