DNS proxy not accepting tcp connections

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DNS proxy not accepting tcp connections

L4 Transporter

Hi

 

so my setup 5220

vlan 20 ... my named dns server 10.43.20.100 and 10.43.20.102 ... dns1 and dns2

on the pa on interface with vlan 20 10.43.20.1 I have configured dns proxy.

 

works well for dns via udp

 

but tcp doesn't work

so 

tcpdump -pni eth0 host 10.43.20.1 and port 53 -c 20 & dig @10.43.20.1 _ldap._tcp.abcde.com SRV
[1] 25943
;; Truncated, retrying in TCP mode.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
21:24:08.420119 IP 10.43.20.111.44595 > 10.43.20.1.domain: 9968+ SRV? _ldap._tcp.abcde.com. (44)
21:24:08.423313 IP 10.43.20.1.domain > 10.43.20.111.44595: 9968| 6/11/0 SRV abcde.abcde.com.:389 0 100, SRV dcfed.abcde.com.:389 0 100, SRV adadad.abcde.com.:389 0 100, SRV adasdsa.abcde.com.:389 0 100, SRV asdasda.abcde.com.:389 0 100, SRV asad.abcde.com.:389 0 100 (501)
21:24:08.423554 IP 10.43.20.111.33881 > 10.43.20.1.domain: Flags [S], seq 1732894062, win 14600, options [mss 1460,sackOK,TS val 1399345837 ecr 0,nop,wscale 10], length 0
21:24:09.422701 IP 10.43.20.111.33881 > 10.43.20.1.domain: Flags [S], seq 1732894062, win 14600, options [mss 1460,sackOK,TS val 1399346837 ecr 0,nop,wscale 10], length 0
21:24:11.422682 IP 10.43.20.111.33881 > 10.43.20.1.domain: Flags [S], seq 1732894062, win 14600, options [mss 1460,sackOK,TS val 1399348837 ecr 0,nop,wscale 10], length 0
21:24:15.422702 IP 10.43.20.111.33881 > 10.43.20.1.domain: Flags [S], seq 1732894062, win 14600, options [mss 1460,sackOK,TS val 1399352837 ecr 0,nop,wscale 10], length 0
21:24:18.423822 IP 10.43.20.111.49363 > 10.43.20.1.domain: Flags [S], seq 1153441164, win 14600, options [mss 1460,sackOK,TS val 1399355838 ecr 0,nop,wscale 10], length 0
21:24:19.423688 IP 10.43.20.111.49363 > 10.43.20.1.domain: Flags [S], seq 1153441164, win 14600, options [mss 1460,sackOK,TS val 1399356838 ecr 0,nop,wscale 10], length 0
21:24:21.423679 IP 10.43.20.111.49363 > 10.43.20.1.domain: Flags [S], seq 1153441164, win 14600, options [mss 1460,sackOK,TS val 1399358838 ecr 0,nop,wscale 10], length 0

 


you can see the initial request made as udp, then the change to tcp fails no syn/ack.

 

if i do dig +tcp .. same problem.

 

then i try and log a fault with PA support. told doing dig +tcp is not valid.

.. venting here ... this support engineer is why i am hating talking to PA support. .. vent off...

 

so any one else had issues with dns proxy. I was looking at using it for my main DNS server ip's but if it can't handle this then .....

 

A

 

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@Alex_Samad,

Have you actually enabled TCP Queries on the DNS Proxy settings? 

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

@Alex_Samad,

Have you actually enabled TCP Queries on the DNS Proxy settings? 

Ummmm

 

tada ... who would have thought, my friend ... awesome

 

so under advanced there is a section that say tcp queries 

 

from there help 

 

Select to enable DNS queries using TCP. Specify the maximum number of concurrent pending TCP DNS requests (Max Pending Requests) that the firewall will support (range is 64-256; default is 64).

 

going to test weather this means it takes tcp or uses tcp queries !

@Alex_Samad,

Sorry about your support experience. That should have been the first thing TAC checked considering this is a new use of DNS Proxy. Glad that was it. 

All good its working now.

 

Thanks for your input

<flame on>

You know I asked this support ticket to be escalated to a manager.

 

that was on the 3/12 ... still waiting ... i have had i think 2 missed calls.  recieving calls outside my business hours. also had him hang up cause I couldn't hear him.

 

And I have actually emailed my SE about this.

 

I have found some really good people at PA and I like the products

But I'm finding a lot of support very very very bad.

 

A

 

 

 

  • 1 accepted solution
  • 3979 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!