Active Directory Dynamic DNS broken by Juniper SRX firewall ALG

Last week a Juniper SRX firewall was put in to replace an older internal firewall. This week a load of Windows Servers dropped out of Active Directory DNS. The scavenging period in AD DNS was configured to be 7 days. Coincidence? I think not.

But what was going on, and why? DNS queries were working from the affected servers, and servers not behind the new SRX firewall were unaffected. I ran Wireshark on an affected server and on the primary DNS server it was configured to talk to.

There were indeed UDP packets going back and forth quite happily between the affected server and the DNS server, originating on a high port within the range 49152 – 65535 and going to port 53 on the DNS server. So I knew that it wasn’t a firewall port rule thing – DDNS uses the same ports as any other DNS traffic.

DNS traffic contains a set of flags that tell the DNS server what type of operation it should do with the rest of the data in the communication. For a standard DNS query the flags are 0x0100. These were being sent and received as normal: I could see the DNS transaction IDs matching up on both the affected server and the DNS server.

However, a DDNS update is distinguished by having the flags set to 0x2800, and for these all I could see was the dynamic update data being sent out of the affected server but this was never received at the DNS server. The effected server’s DNS Client service would keep sending the data for a while and then give up and a warning event 8015 in the System Event Log:

Source: DNS Client Events
Event ID: 8015
Level: Warning
User: NETWORK SERVICE
Message: The system failed to register host (A or AAAA) resource records (RRs) for network adapter with settings:
 Adapter Name : {xxxx}
 Host Name : servername
 Primary Domain Suffix : rcmtech.co.uk
 DNS server list :
    192.168.1.10, 192.168.1.11
 Sent update to server : <?>
 IP Address(es) :
  192.168.2.3
The reason the system could not register these RRs was because the update request it sent to the DNS server timed out. etc...

So something was eating the Dynamic DNS update data as it went over the network, but was not eating regular DNS queries. Whatever it was was looking at the flags inside the DNS data and only blocking dynamic update DNS traffic.

So I did a bit of searching and found that this was a known problem with Juniper SRX firewalls due to the ALG (Application Layer Gateway). I spoke to my SRX expert who assured me that ALG was switched off. After a few more hours of testing he discovered that ALG was in fact not switched off after all, and after disabling it for DNS everything is working normally again. It seems that ALG defaults are generally not ideal anyway when it comes to DNS.

This entry was posted in Networking, Windows and tagged , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s