topic Re: DNS proxy not accepting tcp connections in General Topics

DNS proxy not accepting tcp connections

Alex_Samad — Mon, 03 Dec 2018 10:32:27 GMT

so my setup 5220

vlan 20 ... my named dns server 10.43.20.100 and 10.43.20.102 ... dns1 and dns2

on the pa on interface with vlan 20 10.43.20.1 I have configured dns proxy.

works well for dns via udp

but tcp doesn't work

tcpdump -pni eth0 host 10.43.20.1 and port 53 -c 20 & dig @10.43.20.1 _ldap._tcp.abcde.com SRV
[1] 25943
;; Truncated, retrying in TCP mode.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
21:24:08.420119 IP 10.43.20.111.44595 > 10.43.20.1.domain: 9968+ SRV? _ldap._tcp.abcde.com. (44)
21:24:08.423313 IP 10.43.20.1.domain > 10.43.20.111.44595: 9968| 6/11/0 SRV abcde.abcde.com.:389 0 100, SRV dcfed.abcde.com.:389 0 100, SRV adadad.abcde.com.:389 0 100, SRV adasdsa.abcde.com.:389 0 100, SRV asdasda.abcde.com.:389 0 100, SRV asad.abcde.com.:389 0 100 (501)
21:24:08.423554 IP 10.43.20.111.33881 > 10.43.20.1.domain: Flags [S], seq 1732894062, win 14600, options [mss 1460,sackOK,TS val 1399345837 ecr 0,nop,wscale 10], length 0
21:24:09.422701 IP 10.43.20.111.33881 > 10.43.20.1.domain: Flags [S], seq 1732894062, win 14600, options [mss 1460,sackOK,TS val 1399346837 ecr 0,nop,wscale 10], length 0
21:24:11.422682 IP 10.43.20.111.33881 > 10.43.20.1.domain: Flags [S], seq 1732894062, win 14600, options [mss 1460,sackOK,TS val 1399348837 ecr 0,nop,wscale 10], length 0
21:24:15.422702 IP 10.43.20.111.33881 > 10.43.20.1.domain: Flags [S], seq 1732894062, win 14600, options [mss 1460,sackOK,TS val 1399352837 ecr 0,nop,wscale 10], length 0
21:24:18.423822 IP 10.43.20.111.49363 > 10.43.20.1.domain: Flags [S], seq 1153441164, win 14600, options [mss 1460,sackOK,TS val 1399355838 ecr 0,nop,wscale 10], length 0
21:24:19.423688 IP 10.43.20.111.49363 > 10.43.20.1.domain: Flags [S], seq 1153441164, win 14600, options [mss 1460,sackOK,TS val 1399356838 ecr 0,nop,wscale 10], length 0
21:24:21.423679 IP 10.43.20.111.49363 > 10.43.20.1.domain: Flags [S], seq 1153441164, win 14600, options [mss 1460,sackOK,TS val 1399358838 ecr 0,nop,wscale 10], length 0

you can see the initial request made as udp, then the change to tcp fails no syn/ack.

if i do dig +tcp .. same problem.

then i try and log a fault with PA support. told doing dig +tcp is not valid.

.. venting here ... this support engineer is why i am hating talking to PA support. .. vent off...

so any one else had issues with dns proxy. I was looking at using it for my main DNS server ip's but if it can't handle this then .....

Re: DNS proxy not accepting tcp connections

BPry — Tue, 04 Dec 2018 01:33:29 GMT

@Alex_Samad,

Have you actually enabled TCP Queries on the DNS Proxy settings?

Re: DNS proxy not accepting tcp connections

Alex_Samad — Tue, 04 Dec 2018 01:45:44 GMT

Ummmm

tada ... who would have thought, my friend ... awesome

so under advanced there is a section that say tcp queries

from there help

Select to enable DNS queries using TCP. Specify the maximum number of concurrent pending TCP DNS requests (Max Pending Requests) that the firewall will support (range is 64-256; default is 64).

going to test weather this means it takes tcp or uses tcp queries !

Re: DNS proxy not accepting tcp connections

BPry — Tue, 04 Dec 2018 01:45:28 GMT

@Alex_Samad,

Sorry about your support experience. That should have been the first thing TAC checked considering this is a new use of DNS Proxy. Glad that was it.

Re: DNS proxy not accepting tcp connections

Alex_Samad — Tue, 04 Dec 2018 01:48:09 GMT

All good its working now.

Thanks for your input

Re: DNS proxy not accepting tcp connections

Alex_Samad — Sun, 09 Dec 2018 23:03:21 GMT

You know I asked this support ticket to be escalated to a manager.

that was on the 3/12 ... still waiting ... i have had i think 2 missed calls. recieving calls outside my business hours. also had him hang up cause I couldn't hear him.

And I have actually emailed my SE about this.

I have found some really good people at PA and I like the products

But I'm finding a lot of support very very very bad.