7.0.1-5165 - DNS Proxy - Split DNS not working for TCP requests
BWC
Cybersecurity Overlord ✭✭✭
A customer complained that some DNS records of a Zone, which is configured as Split DNS pointing to the Windows DC, do not resolve when the DNS Proxy is used by the client.
After some digging I figured out the root cause for this, Because whenever the protocol switches from UDP to TCP the request does not get forwarded to the internal DNS anymore, instead it goes straight out to the WAN DNS (e.g. Google), which will fail of course. UDP+TCP is enabled of course for the DNS Proxy (even on the internal settings page).
Looks like a bug to me, did anyone came across this and is it already known and addressed?
—Michael@BWC
Category: Entry Level Firewalls
0
Comments
Good Morning @BWC -
Please could you run this test again with " Enable DNS host name lookup over TCP for FQDN " Enabled.
Firewall UI » Network » DNS » Settings. On the Page under DNS Rebinding and Cache Lookup.
Hi @Vivek this option was already enabled but is IMHO not relevant here, because I'am not trying to resolve a FQDN.
—Michael@BWC
@Vivek I checked on my 7.1.3 appliance at home, and it is the same, Split DNS does not work with DNS requests over TCP.
—Michael@BWC
Hi @BWC - we are testing/checking on this one ..
I just took a quick look at a firewall and seems that what you are seeing is expected, both do say UDP only and their guide does says something similar
https://www.sonicwall.com/support/technical-documentation/docs/sonicos-7-1-dns/Content/DNS_Proxy/dns-proxy-configuring-settings.htm
@Pocho I tend to disagree on that. I'am not trying to enforce all DNS Requests and if the DNS Proxy Cache is going only to work with UDP, that is something I can live with. DNS Proxy for TCP is working fine (AFAIK), but the Split DNS isnt.
Funny thing is, 7.0.1 Internal settings has a toggle for DNS Proxy Protocol, UDP+TCP or UDP only, this is gone in 7.1.3.
BTW, same behaviour on 6.5.5.1, this makes me question how I could have missed this all the years.
—Michael@BWC
@Vivek did you had a chance to do some testing? I guess it's not an issue if the AD DNS answer fits into the 512 UDP packet, but after that it causes trouble. Maybe that's the reason why it does not comes up that often.
—Michael@BWC
@BWC - Thank you for your testing and feedback. This has now been reported to our Support team who are going to work further with engineering. Thanks !