Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

DNS Proxy breaks DNSSEC validation

BWCBWC Cybersecurity Overlord ✭✭✭
edited April 2022 in Mid Range Firewalls

Hi,

is anyone using the internal DNS Proxy on SonicOS and experienced the problem that DNSSEC validation gets broken for every cached answer? This might break DANE or any other implementation which needs proper DNSSEC validation.

I tested this on an appliance running SonicOS 6.5.4.10 and it can be easily verifed with delv,

1st DNS request (cache empty), validation OK
root@INTEL-NUC10i7FNH:~# delv bsi.de
; fully validated
bsi.de.                 14032   IN      A       80.245.144.218
bsi.de.                 14032   IN      RRSIG   A 8 2 14400 20220501050402 20220421050402 49698 bsi.de. ASDhF4nIAuVQrWg/6/cseOSm/1jR4DUVovhYYBKrt/4ARUiCgUn+j5ft c37+WL81WOS1oHF21r1WQFAmViE/Ml21ePt2x1KfX0x67S9LBbS9Z9tG gbQtkWH1dfUNNyroSks3cUZtSVg72M9QpYVfqE+wG20gpDNczKbG6fLO OTU=

2nd DNS request (bsi.de is in cache), validation failed
root@INTEL-NUC10i7FNH:~# delv bsi.de
;; no valid RRSIG resolving 'de/DS/IN': x.x.x.x#53
;; broken trust chain resolving 'bsi.de/A/IN': x.x.x.x#53
;; resolution failed: broken trust chain

When the cache entry for bsi.de gets flushed it's working again for a single time. Adding the +vtrace Option to the delv command shows the validation process if someone needs details. As a countercheck I disabled the DNS Proxy Cache completely and the validation worked every time.

I'll try to do the same test on a Gen7 appliance next week, but I expect the same outcome.

This might be not an issue for the masses, but nevertheless should be handled properly. Usually I run a proper DNS resolver alongside in DANE scenarios, but this might be not necessary in smaller deployments when done correctly on the Firewall.

--Michael@BWC

Category: Mid Range Firewalls
Reply
Sign In or Register to comment.