The Domain Name System (DNS) Application Layer Gateway (ALG) service handles data associated with locating and translating domain names into IP addresses. The ALG typically runs on port 53. The ALG monitors DNS query and reply packets and supports only UDP traffic.
DNS ALG Overview
The DNS Application Layer Gateway (ALG) service provides an application-level gateway for use with DNS clients. The DNS ALG service allows a client to access multiple DNS servers in different networks and provides routing to and from those servers. It also supports flexible address translation of the DNS query and response packets. These functions allow the DNS client to query many different domains from a single DNS server instance on the client side of the network.
The DNS server listens through UDP port 53 for incoming queries from DNS resolvers. A resolver communicates with DNS servers by sending DNS queries and handling DNS responses.
The default port for DNS ALG is port 53.
The DNS ALG performs the following functions:
Monitors DNS query and reply packets and closes the session when the DNS reply is received
Performs DNS doctoring
Performs the IPv4 and IPv6 address transformations
The Domain Name System (DNS) was originally designed to support queries of a static configured database and the data was expected to change.
Dynamic DNS (DDNS) support is now available in addition to the DNS standard. The main difference between DNS and DDNS is in the message format of the header section and the update message.
DDNS messages are processed differently when compared to DNS messages. Message parsing is rewritten for DDNS. DDNS does NAT and NAT-PT in the query part of the message and DNS does NAT and NAT-PT in the response part of the message.
Example: Configuring the DNS ALG
This example shows how to configure the DNS ALG to pass through DNS traffic with a static NAT pool on Juniper Networks devices.
Before you begin:
Configure static NAT pool for all IP address.
Understand the concepts behind ALG for DNS. See DNS ALG Overview.
In this example, the ALG for DNS is configured to monitor and allow DNS traffic to be exchanged between the clients and the server located on opposite sides of a Juniper Networks device.
This example shows how to configure a static NAT pool and rule set, and associate the DNS ALG to a policy.
Figure 1 shows the DNS ALG topology.
Configuring a NAT Static Pool and Rule Set
CLI Quick Configuration
To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the  hierarchy level, and then enter commit from configuration mode.
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure a static NAT pool:
- Create a NAT static rule set.user@host# set security nat static rule-set rs1 from zone untrustuser@host# set security nat static rule-set rs1 rule r1 match destination-address 203.0.113.100user@host# set security nat static rule-set rs1 rule r1 then static-nat prefix 192.0.2.100
- Associate the DNS application using a policy.user@host# set security policies from-zone untrust to-zone trust policy u2t match source-address anyuser@host# set security policies from-zone untrust to-zone trust policy u2t match destination-address anyuser@host# set security policies from-zone untrust to-zone trust policy u2t match application junos-dns-udpuser@host# set security policies from-zone untrust to-zone trust policy u2t then permit
From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Configuring and Printing the DNS Trace
Print the DNS trace file.
From configuration mode, enter the following command.
set security alg traceoptions file alglog
set security alg traceoptions file size 1g
set security alg traceoptions level verbose
set security alg dns traceoptions flag all
To confirm that the configuration is working properly, perform these tasks:
Verifying DNS ALG
Verify that DNS ALG is enabled.
From operational mode, enter the show security alg status command.
user@host> show security alg status
ALG Status : DNS : Enabled FTP : Enabled H323 : Disabled MGCP : Disabled MSRPC : Enabled PPTP : Enabled RSH : Disabled RTSP : Disabled SCCP : Disabled SIP : Disabled SQL : Disabled SUNRPC : Enabled TALK : Enabled TFTP : Enabled IKE-ESP : Disabled
The output shows the DNS ALG is enabled.
Verifying DNS ALG Security Flow Session
Verify ALG security flow session is enabled.
From operational mode, enter the show security flow session application dns extensive command.
user@host> show security flow session application dns extensive
Session ID: 24088, Status: Normal Flags: 0x40/0x0/0x2/0x2000103 Policy name: unt2tru/6 Source NAT pool: Null, Application: junos-dns-udp/16 Dynamic application: junos:UNKNOWN, Encryption: Unknown Application traffic control rule-set: INVALID, Rule: INVALID Maximum timeout: 60, Current timeout: 56 Session State: Valid Start time: 658866, Duration: 10 In: 192.0.2.0/38926 --> 198.51.100.0/53;udp, Conn Tag: 0x0, Interface: ge-0/0/3.0, Session token: 0xa, Flag: 0x621 Route: 0x110010, Gateway: 192.0.2.0, Tunnel: 0 Port sequence: 0, FIN sequence: 0, FIN state: 0, Pkts: 2, Bytes: 116 Out: 198.51.100.0/53 --> 192.0.2.0/38926;udp, Conn Tag: 0x0, Interface: ge-0/0/2.0, Session token: 0x9, Flag: 0x620 Route: 0x100010, Gateway: 198.51.100.0, Tunnel: 0 Port sequence: 0, FIN sequence: 0,
The output shows there is an active flow utilizing the DNS ALG.
Understanding DNS and DDNS Doctoring
Junos OS supports Domain Name System (DNS) for ALGs. The DNS ALG monitors DNS query and reply packets and closes the session if the DNS flag indicates that the packet is a reply message. To configure the DNS ALG, use the edit security alg dns statement at the [edit security alg] hierarchy level.
DNS provides name-to-address mapping within a routing class, whereas Network Address Translation (NAT) attempts to provide transparent routing between hosts in disparate address realms of the same routing class. As a result, NAT can cause some DNS problems the DNG ALG must handle through a process called DNS doctoring.
The same doctoring feature applies to the dynamic domain name system (DDNS). For DDNS in NAT mode, you also can do the IP translation in the DDNS update.
To resolve the problems introduced by NAT, DNS and DDNS ALG functionality has been extended to support static NAT, allowing the problems to be resolved through DNS doctoring.
The DNS ALG must be enabled on the devices to perform DNS doctoring. With the DNS ALG enabled on SRX3400, SRX3600, SRX4600, SRX5600 and SRX5800 devices, DNS doctoring is enabled by default. (Platform support depends on the Junos OS release in your installation.)
The restoring and doctoring process is performed in two parts:
Packet sanity check
For the DNS packet, the DNS ALG check fields are questions, answers, authority, and additional information. The DNS ALG drops the packet if the number of questions is more than 1, the domain name is more than 255 bytes, or the label length is more than 63 bytes.
For the DDNS packet, the DNS ALG check fields are zone, prerequisite, update, and additional data. The DNS ALG drops the packet if the number of zones is more than 1, the domain name is more than 255 bytes, or the label length is more than 63 bytes.
For both DNS and DDNS, the DNS ALG drops the packet that does not comply with the standards.
Figure 2 shows how DNS translates a private address to a public address.
When host X in external.com wants to resolve host A’s address through DNS and if the DNS ALG does not support NAT, it takes a private address such as 172.19.1.10, which is invalid to host X. The private address is translated to public address 220.127.116.11 through the DNS ALG.
Figure 3 shows how DNS translates a public address to a private address.
When host A in private.com wants to resolve host B's address through DNS and if the DNS ALG does not support NAT, it takes a public address from the DNS server in external.com, such as 18.104.22.168. If Host A sends traffic to host B with public address 22.214.171.124, which is invalid to host B in the private domain. Hence, the public address in the DNS query A-record is translated to private address 172.19.2.1 through the DNS ALG.
The DNS ALG can translate the first 32 A-records in a single DNS reply. A-records after the first 32 records are not handled. Also note that the DNS ALG supports IPv4 and IPv6 addresses and does not support VPN tunnels.
Disabling DNS and DDNS Doctoring
The DNS ALG must be enabled on the devices to perform DNS and DDNS doctoring. With the DNS ALG enabled on the device, the DNS and DDNS doctoring feature is enabled by default. You can disable DNS and DDNS doctoring with the CLI.
To disable DNS and DDNS doctoring:
- Disable all the doctoring features by specifying the none configuration option.
This command disables all the doctoring features.user@host# set security alg dns doctoring none
- Disable the NAT feature and retain the sanity-check feature
by specifying the sanity-check configuration option.
This option disables the NAT feature and retains the sanity-check feature.user@host# set security alg dns doctoring sanity-check
- If you are finished configuring the device, commit the configuration.
- To verify the configuration, use the vty command show usp algs dns stats.