SRX

Expand all | Collapse all

DNS-Doctoring

  • 1.  DNS-Doctoring

    Posted 05-30-2017 02:19

    Does DNS-Doctoring support IPv6 ?



  • 2.  RE: DNS-Doctoring

    Posted 05-30-2017 02:50

    DNS Doctoring

    is a functionality where the firewall will look at DNS responses from your DNS servers for addresses that have a static NAT rule defined and will then change the IP in the DNS response to the NAT address. This behavior is wrong in so many ways. There is very little documentation about this - as far as I know this behavior gets triggered when both the DNS server and the response have a static NAT rule, but I may be wrong. If you think you need functionality like this, you should rethink your DNS infrastructure. Other than it being an extremely ugly kludge, it doesn't always work and will fail in the future if you decide to use DNSSEC.

     

    When this feature was first introduced, it couldn't even be disabled. But in more recent JunOS releases it can be disabled using the following command:

     

    set security alg dns doctoring sanity-check


  • 3.  RE: DNS-Doctoring

    Posted 05-30-2017 03:25


  • 4.  RE: DNS-Doctoring

    Posted 05-30-2017 10:44

    There is actually a lot of information vlear explanation of the functionality and use case,

    https://www.juniper.net/documentation/en_US/junos/topics/concept/dns-alg-nat-doctoring-overview.html

    https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/dns-alg-nat-doctoring-disable-cli.html

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB22912&max-yv=1&enablesaml=yes&act=login

     

    mptoms:

      • The DNS doctoring function is designed to parse the DNS message and perform IP address translation. It drops the messages, which have format errors or oversized payloads; then it will perform the IP translation as a static NAT rule.

      • If you do not need NAT translation, the following CLI command can be used to disable IP translation:

         

        set security alg dns doctoring sanity-check

    • If you do not need to perform the sanity-check, the following CLI command can be used to disable DNS doctoring:

       

      set security alg dns doctoring none

       The article requires login.

    • For an independent opinion:
    • https://bart.motd.be/comment/2933