Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

DNS ALG

 

The Domain Name System (DNS) Application Layer Gateway (ALG) service handles data associated with locating and translating domain names into IP addresses. The ALG typically runs on port 53. The ALG monitors DNS query and reply packets and supports only UDP traffic.

DNS ALG Overview

The DNS Application Layer Gateway (ALG) service provides an application-level gateway for use with DNS clients. The DNS ALG service allows a client to access multiple DNS servers in different networks and provides routing to and from those servers. It also supports flexible address translation of the DNS query and response packets. These functions allow the DNS client to query many different domains from a single DNS server instance on the client side of the network.

The DNS server listens through UDP port 53 for incoming queries from DNS resolvers. A resolver communicates with DNS servers by sending DNS queries and handling DNS responses.

Note

The default port for DNS ALG is port 53.

The DNS ALG performs the following functions:

  • Monitors DNS query and reply packets and closes the session when the DNS reply is received

  • Performs DNS doctoring

  • Performs the IPv4 and IPv6 address transformations

The Domain Name System (DNS) was originally designed to support queries of a static configured database and the data was expected to change.

Dynamic DNS (DDNS) support is now available in addition to the DNS standard. The main difference between DNS and DDNS is in the message format of the header section and the update message.

DDNS messages are processed differently when compared to DNS messages. Message parsing is rewritten for DDNS. DDNS does NAT and NAT-PT in the query part of the message and DNS does NAT and NAT-PT in the response part of the message.

Example: Configuring the DNS ALG

This example shows how to configure the DNS ALG to pass through DNS traffic with a static NAT pool on Juniper Networks devices.

Requirements

Before you begin:

  • Configure static NAT pool for all IP address.

  • Understand the concepts behind ALG for DNS. See DNS ALG Overview.

Overview

In this example, the ALG for DNS is configured to monitor and allow DNS traffic to be exchanged between the clients and the server located on opposite sides of a Juniper Networks device.

This example shows how to configure a static NAT pool and rule set, and associate the DNS ALG to a policy.

Topology

Figure 1 shows the DNS ALG topology.

Figure 1: DNS ALG Topology
DNS ALG Topology

Configuration

Configuring a NAT Static Pool and Rule Set

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a static NAT pool:

  1. Create a NAT static rule set.
  2. Associate the DNS application using a policy.

Results

From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring and Printing the DNS Trace

Purpose

Print the DNS trace file.

Action

From configuration mode, enter the following command.

set security alg traceoptions file alglog
set security alg traceoptions file size 1g
set security alg traceoptions level verbose
set security alg dns traceoptions flag all

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying DNS ALG

Purpose

Verify that DNS ALG is enabled.

Action

From operational mode, enter the show security alg status command.

user@host> show security alg status

Meaning

The output shows the DNS ALG is enabled.

Verifying DNS ALG Security Flow Session

Purpose

Verify ALG security flow session is enabled.

Action

From operational mode, enter the show security flow session application dns extensive command.

user@host> show security flow session application dns extensive

Meaning

The output shows there is an active flow utilizing the DNS ALG.

See also

Understanding DNS and DDNS Doctoring

Junos OS supports Domain Name System (DNS) for ALGs. The DNS ALG monitors DNS query and reply packets and closes the session if the DNS flag indicates that the packet is a reply message. To configure the DNS ALG, use the edit security alg dns statement at the [edit security alg] hierarchy level.

DNS provides name-to-address mapping within a routing class, whereas Network Address Translation (NAT) attempts to provide transparent routing between hosts in disparate address realms of the same routing class. As a result, NAT can cause some DNS problems the DNG ALG must handle through a process called DNS doctoring.

The same doctoring feature applies to the dynamic domain name system (DDNS). For DDNS in NAT mode, you also can do the IP translation in the DDNS update.

To resolve the problems introduced by NAT, DNS and DDNS ALG functionality has been extended to support static NAT, allowing the problems to be resolved through DNS doctoring.

Note

The DNS ALG must be enabled on the devices to perform DNS doctoring. With the DNS ALG enabled on SRX3400, SRX3600, SRX4600, SRX5600 and SRX5800 devices, DNS doctoring is enabled by default. (Platform support depends on the Junos OS release in your installation.)

The restoring and doctoring process is performed in two parts:

  • Packet sanity check

    For the DNS packet, the DNS ALG check fields are questions, answers, authority, and additional information. The DNS ALG drops the packet if the number of questions is more than 1, the domain name is more than 255 bytes, or the label length is more than 63 bytes.

    For the DDNS packet, the DNS ALG check fields are zone, prerequisite, update, and additional data. The DNS ALG drops the packet if the number of zones is more than 1, the domain name is more than 255 bytes, or the label length is more than 63 bytes.

    For both DNS and DDNS, the DNS ALG drops the packet that does not comply with the standards.

  • NAT

Figure 2 shows how DNS translates a private address to a public address.

Figure 2: DNS Address Translation (Private to Public)
DNS Address Translation
(Private to Public)

When host X in external.com wants to resolve host A’s address through DNS and if the DNS ALG does not support NAT, it takes a private address such as 172.19.1.10, which is invalid to host X. The private address is translated to public address 131.108.1.10 through the DNS ALG.

Figure 3 shows how DNS translates a public address to a private address.

Figure 3: DNS Address Translation (Public to Private)
DNS Address Translation
(Public to Private)

When host A in private.com wants to resolve host B's address through DNS and if the DNS ALG does not support NAT, it takes a public address from the DNS server in external.com, such as 131.108.1.8. If Host A sends traffic to host B with public address 131.108.1.8, which is invalid to host B in the private domain. Hence, the public address in the DNS query A-record is translated to private address 172.19.2.1 through the DNS ALG.

Note

The DNS ALG can translate the first 32 A-records in a single DNS reply. A-records after the first 32 records are not handled. Also note that the DNS ALG supports IPv4 and IPv6 addresses and does not support VPN tunnels.

Disabling DNS and DDNS Doctoring

The DNS ALG must be enabled on the devices to perform DNS and DDNS doctoring. With the DNS ALG enabled on the device, the DNS and DDNS doctoring feature is enabled by default. You can disable DNS and DDNS doctoring with the CLI.

To disable DNS and DDNS doctoring:

  1. Disable all the doctoring features by specifying the none configuration option.

    This command disables all the doctoring features.

  2. Disable the NAT feature and retain the sanity-check feature by specifying the sanity-check configuration option.

    This option disables the NAT feature and retains the sanity-check feature.

  3. If you are finished configuring the device, commit the configuration.
  4. To verify the configuration, use the vty command show usp algs dns stats.

Related Documentation