Hi folks; I'm looking for a little information on how the SmartDefense
DNS stuff works in CheckPoint.
We run BIND 9.3.5 behind our firewalls which have SmartDefense on, but
occasionally have problems with EDNS queries to certain domains
(boeing.com for example). Here's what happens with queries to boeing's
DNS servers (and others like it):
- Our DNS server sends a request out with Transaction ID 1 and an
EDNS payload.
- Boeing sends a packet back saying "Format error". however, the
Transaction ID number on this packet is something other than 1.
dig gives an error when this happens and I imagine BIND throws the
query away.
- As a result, a query timeout occurs and the same process is
repeated for all boeing's DNS servers.
- Once all the queries have timed out, the query is resent again to
the first server without EDNS. This time the query succeeds.
In limited testing it appears that if we disable smartdefense, EDNS
queries to boeing work fine -- the transaction ID's match, and BIND
will correctly retransmit the query with EDNS off upon receipt of the
first "format error" packet from boeing.
So this begs a couple of questions:
- Why do EDNS queries work fine to *some* domains? One would think
if SmartDefense is scrambling transaction ID's it would do this
consistently for any domain. Instead we can reproduce it every
time with boeing, but other domains work fine every single time.
- How does the SmartDefense scrambling feature work? Sometimes we
see that the SmartDefense is triggered on an outgoing packet, but
sometimes not. My theory is that it only scrambles if the
transaction ID number is too close to a previous query --
"predictible".
ISC (BIND folks) is of the opinion[1] that the problem is on our end vs an
issue with boeing's side (my theory was they might have a FW doing
transaction ID scrambling as well which stepped on our own -- this
doesn't really explain to me why queries to boeing without EDNS
payloads would work fine however).
Our current solution is either to disable EDNS queries or to turn of
SmartDefense for DNS -- neither is an ideal solution.
Any thoughts or insight?
Thanks,
Ray
[1] https://lists.isc.org/pipermail/bind-users/2009-January/074558.html
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
