SRX

Expand all | Collapse all

Hidden policy dropping DNS request?

Jump to Best Answer
  • 1.  Hidden policy dropping DNS request?

    Posted 02-15-2020 11:42

    Hi,

     

    We have an application service requires that a dozen servers behind SRX-HE (SRX-HE does PAT) send blast of DNS queries at the begining of each hour to a 3rd party DNS server connected to SRX via IPsec, the rate is over 1000 Requests per second, each DNS query is about 80bytes, so both the session creation per second and IPsec raw bandwidth usage requirement of this application are way below what SRX-HE can do. Yet application observed time outs which means that some queries were dropped by SRX, IPsec tunnel interface counter confirmed that, it is also confirmed that if those requests were sent over an alternative path bypassing SRX, then the timeouted queries are minimal.  DNS ALG is disabled and there is no IPS/IDP service configured on SRX.

     

    Does SRX have some kind of hidden policy that rate-limits DNS queries?

     

    oldcreek



  • 2.  RE: Hidden policy dropping DNS request?

    Posted 02-16-2020 06:26

    Hello,

    First things first:

    1/ what is the JUNOS version?

    2/ what is the SPC HW?

     

     


    @oldcreek wrote:

     

    Does SRX have some kind of hidden policy that rate-limits DNS queries?

     

     


     

    None I know of. 

    Possible reasons for Your problem:

    a/ You have configured a session limit per IP

     https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/security-edit-limit-session.html

    https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/security-edit-source-ip-based.html

    b/ You have configured UDP rate-limit

     https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/security-edit-udp-security-screen.html

    c/ is Your application sending DNS or eDNS packets? If it is eDNS, can You try regular DNS and report the result?

    HTH

    Thx

    Alex

     

     

     



  • 3.  RE: Hidden policy dropping DNS request?

    Posted 02-17-2020 11:22

    Hi, Thank you for your reply, I am running 15.1X49D300 with dual SPC2s, as I mentioned there is no IPS/IDS screen configured. It is regular DNS query, and since I have DNS ALG disabled, Junos should treat the traffic as plain UDP 53 traffic.



  • 4.  RE: Hidden policy dropping DNS request?
    Best Answer

    Posted 02-18-2020 03:19

    Hello,

     


    @oldcreek wrote:

     It is regular DNS query, and since I have DNS ALG disabled, Junos should treat the traffic as plain UDP 53 traffic.


     

    Are You sure? eDNS is also UDP/53 and differs in the (i) packet size - can exceed 512 bytes and (ii) packet flags and content.

     

    Anyway, another possible cause:

    d) if Your PAT pool is shared between different apps including that DNS app, due to momentary burst in port utilization, there may be a short-lived free ports shortage in that PAT pool used by that DNS app.

     

    HTH

    Thx

    Alex



  • 5.  RE: Hidden policy dropping DNS request?

     
    Posted 02-18-2020 19:13

    Hello,

     

    Be rest assured, there are no hidden policies.

     

    Especially considering most of the DNS queries are working, while a few are failing, it is a scale issue mostly, maybe on the firewall maybe not.

    > Just to ensure we have the right picture, can you start with a packet-capture for the DNS traffic?

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB21563&actp=METADATA

    > This will prove if the issue is inded on the firewall

    > Simultaneous capture on the client and remote end (over the VPN) if possible will be a plus for correlation

    > Are you having a cluster setup or is this a standalone device?

    > If its a cluster, if possible try a failover to the other node to eliminate the HW/Datapath

     

    I hope this helps. Regards,

     

    Vikas