This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

DNS packets in drop stage, but i can see the same packet in transmit stage and DNS server response as well.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

DNS packets in drop stage, but i can see the same packet in transmit stage and DNS server response as well.

Abdul_Razaq
L4 Transporter

‎05-19-2021 11:27 PM

Hi Community

 

I am seeing a strange behavior with DNS traffic. I tried to resolve some FQDns which work fine (those are public fqdns). But when I do the packet capture, I can see the same packets in transmit and drop stage. By comparing the tcp port and dns transaction id, i can see those packets sent only once by end machine and the same in both transmit and drop stage. Even i can see the DNS server is responding with the IP address and from end machine, the fqdn is resolved. I am trying to figure out why the packet in drop stage as it causes confition. Also this is not happening always, this is very random.

 

I even tried floe capture, in flow capture I cannot see the drop, in fact there is a gap in flow capture at the time of transmitting and drop time(which means i cannot see this transmit and drop in the flow capture).

0 Likes Likes
2 REPLIES 2

reaper
Cyber Elite
Cyber Elite

‎05-20-2021 12:26 AM

packet-diag logging is not stateful (it does account for NAT), so for a flow basic you need to add filters that account for both flows, and also add a filter for 'stray' packets in case the packet is discarded because the firewall can't match it to a session

I usually filter like this:

1. privsrc-pubdest-destport

2. pubdest -pubsrc-srcport

3. pubdest-privsrc-srcport

 

 

did you check the global counters for drops ? (retry global counters with the above filters as well, in case a packet arrives 'out of window')

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

Abdul_Razaq
L4 Transporter
In response to reaper

‎05-20-2021 12:38 AM - edited ‎05-20-2021 12:47 AM

transmit_and responce.PNGdrop.PNGHi @reaper ,

 

Packet diag is set accounting for the NAT as well. As mentioned, I can see the dropped NATed packet.

Strange thing is i can see the same packet in transmit stage to ISP ( compared dns id and source port and destination mac to confirm it is going to ISP). The public DNS is responding to the query successfully and the client is resolving the fqdn.. Just not sure why the packet in the drop stage when it actually indicates the packet went through.

 

I was able to see some counters like 'DNS packet drops while waiting' not sure if it is related ( as I have capture filter for fw_public ip to dns, it will include other clients requests as well)

0 Likes Likes
  • 4491 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks