12-03-2018 02:30 AM - edited 12-03-2018 02:32 AM
Hi
so my setup 5220
vlan 20 ... my named dns server 10.43.20.100 and 10.43.20.102 ... dns1 and dns2
on the pa on interface with vlan 20 10.43.20.1 I have configured dns proxy.
works well for dns via udp
but tcp doesn't work
so
tcpdump -pni eth0 host 10.43.20.1 and port 53 -c 20 & dig @10.43.20.1 _ldap._tcp.abcde.com SRV
[1] 25943
;; Truncated, retrying in TCP mode.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
21:24:08.420119 IP 10.43.20.111.44595 > 10.43.20.1.domain: 9968+ SRV? _ldap._tcp.abcde.com. (44)
21:24:08.423313 IP 10.43.20.1.domain > 10.43.20.111.44595: 9968| 6/11/0 SRV abcde.abcde.com.:389 0 100, SRV dcfed.abcde.com.:389 0 100, SRV adadad.abcde.com.:389 0 100, SRV adasdsa.abcde.com.:389 0 100, SRV asdasda.abcde.com.:389 0 100, SRV asad.abcde.com.:389 0 100 (501)
21:24:08.423554 IP 10.43.20.111.33881 > 10.43.20.1.domain: Flags [S], seq 1732894062, win 14600, options [mss 1460,sackOK,TS val 1399345837 ecr 0,nop,wscale 10], length 0
21:24:09.422701 IP 10.43.20.111.33881 > 10.43.20.1.domain: Flags [S], seq 1732894062, win 14600, options [mss 1460,sackOK,TS val 1399346837 ecr 0,nop,wscale 10], length 0
21:24:11.422682 IP 10.43.20.111.33881 > 10.43.20.1.domain: Flags [S], seq 1732894062, win 14600, options [mss 1460,sackOK,TS val 1399348837 ecr 0,nop,wscale 10], length 0
21:24:15.422702 IP 10.43.20.111.33881 > 10.43.20.1.domain: Flags [S], seq 1732894062, win 14600, options [mss 1460,sackOK,TS val 1399352837 ecr 0,nop,wscale 10], length 0
21:24:18.423822 IP 10.43.20.111.49363 > 10.43.20.1.domain: Flags [S], seq 1153441164, win 14600, options [mss 1460,sackOK,TS val 1399355838 ecr 0,nop,wscale 10], length 0
21:24:19.423688 IP 10.43.20.111.49363 > 10.43.20.1.domain: Flags [S], seq 1153441164, win 14600, options [mss 1460,sackOK,TS val 1399356838 ecr 0,nop,wscale 10], length 0
21:24:21.423679 IP 10.43.20.111.49363 > 10.43.20.1.domain: Flags [S], seq 1153441164, win 14600, options [mss 1460,sackOK,TS val 1399358838 ecr 0,nop,wscale 10], length 0
you can see the initial request made as udp, then the change to tcp fails no syn/ack.
if i do dig +tcp .. same problem.
then i try and log a fault with PA support. told doing dig +tcp is not valid.
.. venting here ... this support engineer is why i am hating talking to PA support. .. vent off...
so any one else had issues with dns proxy. I was looking at using it for my main DNS server ip's but if it can't handle this then .....
A
12-03-2018 05:33 PM
Have you actually enabled TCP Queries on the DNS Proxy settings?
12-03-2018 05:43 PM - edited 12-03-2018 05:45 PM
Ummmm
tada ... who would have thought, my friend ... awesome
so under advanced there is a section that say tcp queries
from there help
Select to enable DNS queries using TCP. Specify the maximum number of concurrent pending TCP DNS requests (Max Pending Requests) that the firewall will support (range is 64-256; default is 64).
going to test weather this means it takes tcp or uses tcp queries !
12-03-2018 05:45 PM
Sorry about your support experience. That should have been the first thing TAC checked considering this is a new use of DNS Proxy. Glad that was it.
12-03-2018 05:48 PM
All good its working now.
Thanks for your input
12-09-2018 03:03 PM
<flame on>
You know I asked this support ticket to be escalated to a manager.
that was on the 3/12 ... still waiting ... i have had i think 2 missed calls. recieving calls outside my business hours. also had him hang up cause I couldn't hear him.
And I have actually emailed my SE about this.
I have found some really good people at PA and I like the products
But I'm finding a lot of support very very very bad.
A
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
