topic DNS proxy and strange system logs entries in General Topics

DNS proxy and strange system logs entries

_slv_ — Fri, 11 Oct 2013 16:25:49 GMT

I'm using dns proxy from two weeks. Today I observed strange entries in logs:

my configurqation is simple:

Could someone help me to undestrand what is going on?

Regards

Slawek

Re: DNS proxy and strange system logs entries

kfindlen — Fri, 11 Oct 2013 16:27:27 GMT

These errors indicate connectivity issues to the configured DNS servers. Has there been any events which may have caused a loss of connectivity between the firewall and those IPs?

Re: DNS proxy and strange system logs entries

_slv_ — Fri, 11 Oct 2013 19:05:50 GMT

No, those two DNS servers was "pingable" all the time.

Also "DIG google.com" gives me answer - lunched from computer from one of network with dns_proxy.

Any idea how to troubleshoot it ?

Re: DNS proxy and strange system logs entries

UhMayYeah — Sun, 13 Oct 2013 22:13:52 GMT

Start with enabling debug for dnsproxyd and checking dnsproxy logs

> debug dnsproxyd global on debug ===>ENABLE debug

> less mp-log dnsproxyd.log ===== CHECK logs

> debug dnsproxyd global on info ===>DISABLE debug

Possible Issues:

1> Server Sending DNS Response larger than 512 bytes

Extended DNS (>512B) option not supported with PA as proxy.

FIX: Some DNS name queries are unsuccessful after you deploy a Windows Server 2003 or Windows Server 2008 R2-based DNS server

2> DNSproxy logs show " No buffer space available."

Fixed with OS-5.0.8

Bug 50813—DNS proxy fails to proxy traffic with bursts of DNS requests, displaying the

error: (errno: 105) No buffer space available. This was resolved by

increasing the buffer.

3> Sessions for sourced from dnsproxy interface to the server being scanned spyware profile being discarded.

Configure a security rule to bypass threat scanning for the traffic to the DNS server sourced from DNSproxy interface.

You can enable threat scanning for traffic from the original clients to DNS proxy and also DNS response traffic (public DNS servers) if needed.

HTH,

Ameya

Re: DNS proxy and strange system logs entries

_slv_ — Mon, 14 Oct 2013 14:33:12 GMT

Thank You for very detailed answer!

I think that the best option for me will be upgrade to 5.0.8 and after check logs.

I had this errors ie 10.10.2013 about 13:58, in dnsproxyd.log a have enries:

Oct 10 14:52:58 Error: pan_dnsproxyd_recv_server_udp_cb(pan_dnsproxy_udp.c:487): [Drop Rcvd Server Pkt]: Error in processing packet

Oct 10 14:54:57 Error: pan_dnsproxy_process_server_pkt(pan_dnsproxy_pkt.c:1335): [14122/-][Drop Rcvd Server Pkt]: No pending entry in conn tbl for server_tid:14122

Oct 10 14:54:57 Error: remove_conn_tbl_entry(pan_dnsproxy_pkt.c:284): conn_tbl[14122] entry is already freed!

Oct 10 14:54:57 Error: pan_dnsproxyd_recv_server_udp_cb(pan_dnsproxy_udp.c:487): [Drop Rcvd Server Pkt]: Error in processing packet

Oct 10 14:55:37 Error: pan_dnsproxy_process_server_pkt(pan_dnsproxy_pkt.c:1335): [44552/-][Drop Rcvd Server Pkt]: No pending entry in conn tbl for server_tid:44552

Oct 10 14:55:37 Error: remove_conn_tbl_entry(pan_dnsproxy_pkt.c:284): conn_tbl[44552] entry is already freed!

Oct 10 14:55:37 Error: pan_dnsproxyd_recv_server_udp_cb(pan_dnsproxy_udp.c:487): [Drop Rcvd Server Pkt]: Error in processing packet

Oct 10 15:06:14 Error: cfgagent_modify_callback(pan_cfgagent.c:81): Modify string (sw.mgmt.runtime.clients.dnsproxyd.err) error: Unknown error code (1)

Oct 10 15:10:36 Error: pan_dnsproxy_query_done_cb(pan_dnsproxy_pkt.c:772): Cache entry not found for Wsadecka.feris.pl.

Oct 10 15:52:34 Error: pan_dnsproxy_process_server_pkt(pan_dnsproxy_pkt.c:1335): [26579/-][Drop Rcvd Server Pkt]: No pending entry in conn tbl for server_tid:26579

Oct 10 15:52:34 Error: remove_conn_tbl_entry(pan_dnsproxy_pkt.c:284): conn_tbl[26579] entry is already freed!

Oct 10 15:52:34 Error: pan_dnsproxyd_recv_server_udp_cb(pan_dnsproxy_udp.c:487): [Drop Rcvd Server Pkt]: Error in processing packet

Oct 10 15:53:00 Error: pan_dnsproxy_process_server_pkt(pan_dnsproxy_pkt.c:1335): [36977/-][Drop Rcvd Server Pkt]: No pending entry in conn tbl for server_tid:36977

Oct 10 15:53:00 Error: remove_conn_tbl_entry(pan_dnsproxy_pkt.c:284): conn_tbl[36977] entry is already freed!

is everything OK in this logs?

How to make rule for >3

In my scenario I have DNS servers in Zone A, clients in Zone B, my security rule:

Should I add rule that alloving traffic from WiFi zone (with source IP = gateway IP for this zone) to Zone A?

>You can enable threat scanning for traffic from the original clients to DNS proxy and also DNS response traffic (public DNS servers)

How to achieve that?

Should I make rule from WiFi to WiFi app=dns with enabled thread prevention profile on it?

Regards

SLawek

Re: DNS proxy and strange system logs entries

UhMayYeah — Mon, 14 Oct 2013 20:55:35 GMT

This seems to be an issue related to configuration of Threat scanning as logs do not indicate any Buffer related messages.

You should be able to confirm this by checking the session table for destination = DNS server in DISCARD state during the failure.

Assuming :

Clients and DNSproxy Interface===>ZONE WiFi

DNS servers - Zone B

You an create a security policy as follows:

Zone WiFi to Zone WiFi app=dns with enabled thread prevention profile .

Zone WiFi to Zone B app=dns Destination IP : DNS servers ==> Should not have threat profiles.

HTH,

Ameya

Re: DNS proxy and strange system logs entries

_slv_ — Wed, 16 Oct 2013 07:45:24 GMT

From 10.10.2013 I had no problem with dns proxy so I can't do any further investigations. I'm waiting for another issue with dns proxy.

Regards

SLawek