Mailing List Archive: DNS Flag Day

DNS Flag Day

sander at steffann

Jan 25, 2019, 3:10 AM

Post #1 of 7 (1276 views)

Hi,

When doing some investigation for the upcoming DNS Flag Day (https://dnsflagday.net: February 1st 2019) I got some bad news from one of the service providers: they use Juniper SRX firewalls, and claim that they can't properly support EDNS because of a bug in their SRX firewalls. This seems outrageous to me. Is this just because they haven't upgraded their JunOS for years, they're running ancient DNS server software, or is there really a problem?

I didn't get any more information from them, just "it's because of Juniper". An example test can be seen here: https://ednscomp.isc.org/ednscomp/704c5b6649:

> Checking: 'computel.nl' as at 2019-01-25T11:05:00Z
>
> computel.nl. @83.137.17.10 (ns2.computel.nl.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=timeout
> computel.nl. @2001:4038:0:17::10 (ns2.computel.nl.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=timeout
>
> computel.nl. @83.137.20.153 (ns3.computel-standby.eu.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok,nsid (ns3.computel-standby.eu)
> computel.nl. @2001:4038:0:21::153 (ns3.computel-standby.eu.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok,nsid (ns3.computel-standby.eu)
>
> computel.nl. @83.137.20.10 (ns1.computel.nl.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=timeout
> computel.nl. @2001:4038:0:20::10 (ns1.computel.nl.): dns=ok edns=ok edns1=timeout edns@512=ok ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=timeout

I am wondering what's going on here, and whether there is really a bug in JunOS on SRX or whether it's just "easiest to blame the firewall"...

Cheers!
Sander

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: DNS Flag Day [ In reply to ]

sthaug at nethelp

Jan 25, 2019, 3:53 AM

Post #2 of 7 (1276 views)

> When doing some investigation for the upcoming DNS Flag Day (https://dnsflagday.net: February 1st 2019) I got some bad news from one of the service providers: they use Juniper SRX firewalls, and claim that they can't properly support EDNS because of a bug in their SRX firewalls. This seems outrageous to me. Is this just because they haven't upgraded their JunOS for years, they're running ancient DNS server software, or is there really a problem?

See

https://mailman.nanog.org/pipermail/nanog/2019-January/099180.html

"Juniper and Checkpoint have newer code that doesn't do this."

Steinar Haug, Nethelp consulting, sthaug@nethelp.no
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: DNS Flag Day [ In reply to ]

Jan 25, 2019, 4:06 AM

Post #3 of 7 (1276 views)

What they told you sounds like bullshit to me. From 10.2 on there are no special settings required. Maybe they don’t know how to do it?

So I guess they are just very lazy or don’t know better and blame the firewall... I pray for you that they don’t run Code below 10.2...

https://kb.juniper.net/InfoCenter/index?page=content&id=KB23569&cat=SRX_5600_1&actp=LIST

CHS

Von meinem iPhone gesendet

Am 25.01.2019 um 12:53 schrieb sthaug@nethelp.no:

>> When doing some investigation for the upcoming DNS Flag Day (https://dnsflagday.net: February 1st 2019) I got some bad news from one of the service providers: they use Juniper SRX firewalls, and claim that they can't properly support EDNS because of a bug in their SRX firewalls. This seems outrageous to me. Is this just because they haven't upgraded their JunOS for years, they're running ancient DNS server software, or is there really a problem?
>
> See
>
> https://mailman.nanog.org/pipermail/nanog/2019-January/099180.html
>
> "Juniper and Checkpoint have newer code that doesn't do this."
>
> Steinar Haug, Nethelp consulting, sthaug@nethelp.no
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: DNS Flag Day [ In reply to ]

olivier.benghozi at wifirst

Jan 25, 2019, 4:21 AM

Post #4 of 7 (1274 views)

It would mean that they run something older than 10.2 JunOS, that is a prehistoric release, which would be criminal in term of security.
Anyway, putting stateful firewalls in front of DNS servers is a nonsense from the beginning.

> Le 25 janv. 2019 à 13:06, Christian Scholz <chs@ip4.de> a écrit :
>
> What they told you sounds like bullshit to me. From 10.2 on there are no special settings required. Maybe they don’t know how to do it?
>
> So I guess they are just very lazy or don’t know better and blame the firewall... I pray for you that they don’t run Code below 10.2...
>
> https://kb.juniper.net/InfoCenter/index?page=content&id=KB23569&cat=SRX_5600_1&actp=LIST
>
>
> Am 25.01.2019 um 12:53 schrieb sthaug@nethelp.no:
>
>>> When doing some investigation for the upcoming DNS Flag Day (https://dnsflagday.net: February 1st 2019) I got some bad news from one of the service providers: they use Juniper SRX firewalls, and claim that they can't properly support EDNS because of a bug in their SRX firewalls. This seems outrageous to me. Is this just because they haven't upgraded their JunOS for years, they're running ancient DNS server software, or is there really a problem?
>>
>> See
>>
>> https://mailman.nanog.org/pipermail/nanog/2019-January/099180.html
>>
>> "Juniper and Checkpoint have newer code that doesn't do this."

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: DNS Flag Day [ In reply to ]

Jan 25, 2019, 4:42 AM

Post #5 of 7 (1274 views)

> What they told you sounds like bullshit to me. From 10.2 on
> there are no special settings required. Maybe they don't know
> how to do it?
>
> So I guess they are just very lazy or don't know better and
> blame the firewall... I pray for you that they don't run Code
> below 10.2...
>
> https://kb.juniper.net/InfoCenter/index?page=content&id=KB23569&cat=SRX_5600_1&actp=LIST

I'm guessing this isn't it.

If you inspect the error report at

https://ednscomp.isc.org/ednscomp/704c5b6649

it's quite clear that the test probes for support for EDNS
version 1, and expects a "bad version" response, but is instead
met with a DNS query time-out, indicating that an intermediate
box has blocked either the query (most likely) or the response.

Not responding with "bad version" violates a MUST requirement of
section 6.1.3 in RFC 6891, and is likely to be an impediment to
actually develop & deploy EDNS version 1 (not yet standardized),
and makes efficient EDNS version support negotiation impossible.

It's conceivable this is PR1379433, "DNS requests with EDNS
options might be dropped by DNS ALG", fixed-in 15.1X49-D160
17.4R3 18.1R3 18.2R2 18.3R1 18.4R1.

Regards,

- H?vard
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: DNS Flag Day [ In reply to ]

niall.donaghy at geant

Jan 25, 2019, 4:47 AM

Post #6 of 7 (1274 views)

One of our SRXes was blocking EDNSv1, and so we disabled the DNS ALG to
resolve our issue; this might be a prudent approach depending on your
environment.
Not sure this will help the OP as the device(s) in question are outside
their administrative domain. :)

HTH,
Niall

-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of
Havard Eidnes
Sent: 25 January 2019 12:42
To: chs@ip4.de
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] DNS Flag Day

> What they told you sounds like bullshit to me. From 10.2 on there are
> no special settings required. Maybe they don't know how to do it?
>
> So I guess they are just very lazy or don't know better and blame the
> firewall... I pray for you that they don't run Code below 10.2...
>
> https://kb.juniper.net/InfoCenter/index?page=content&id=KB23569&cat=SR
> X_5600_1&actp=LIST

I'm guessing this isn't it.

If you inspect the error report at

https://ednscomp.isc.org/ednscomp/704c5b6649

it's quite clear that the test probes for support for EDNS version 1, and
expects a "bad version" response, but is instead met with a DNS query
time-out, indicating that an intermediate box has blocked either the query
(most likely) or the response.

Not responding with "bad version" violates a MUST requirement of section
6.1.3 in RFC 6891, and is likely to be an impediment to actually develop &
deploy EDNS version 1 (not yet standardized), and makes efficient EDNS
version support negotiation impossible.

It's conceivable this is PR1379433, "DNS requests with EDNS options might be
dropped by DNS ALG", fixed-in 15.1X49-D160
17.4R3 18.1R3 18.2R2 18.3R1 18.4R1.

Regards,

- H?vard
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: DNS Flag Day [ In reply to ]

sander at steffann

Jan 25, 2019, 5:57 AM

Post #7 of 7 (1274 views)

Hi Melchior,

> Thanks for pointing this out. Please have a look at https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1379433 and let me know your ideas.

Yep, that sounds exactly like what's happening!

"Resolved In 15.1X49-D160 17.4R3 18.1R3 18.2R2 18.3R1 18.4R1" sounds hopeful :)

Thanks!
Sander

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp