Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to allow EDNS queries to pass through the SRX firewall with DNS ALG enabled

0

0

Article ID: KB23569 KB Last Updated: 19 Mar 2013Version: 3.0
Summary:
This article provides information how to allow the EDNS queries pass through the SRX firewall, with DNS ALG enabled.
Symptoms:
  • The basic DNS protocol is not sufficient to support some required features. Moreover, DNS messages carried by UDP were restricted to 512 bytes; not considering the Internet Protocol (IP) and Transport Layer headers.

  • EDNS (Extension mechanisms for DNS) is a specification for expanding the size of several parameters of the Domain Name System (DNS) protocol, which had prior size restrictions.

  • In practice, difficulties can arise when using EDNS to traverse firewalls, as certain firewalls assume a maximum DNS message length of 512 bytes and block longer DNS packets.

  • EDNS (as per RFC 2671) queries are dropped by the SRX firewall, with DNS ALG enabled.
Cause:

Solution:

To allow EDNS queries to pass through the SRX firewall, with DNS ALG enabled, run the following command from the configuration mode:

user# set security alg dns maximum-message-length 8192

Note: The above setting is valid only from 10.1 or later, to 10.2. From 10.2 onwards, the limitation of 512 bytes will be removed; so the above command will no longer be required from 10.2 or later.



Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search