DNS-Proxy doesn't recognize DNS type NAPTR (35)

edited April 16 in Firebox - Proxies

Hi guys,

recently, we have been experiencing sporadic outages in our Internet Connection. Tracking it down, we found that our internal DNS-Server did not answer requests (i.e. unable to resolve www.bing.com) . Further Analysis showed that at the same time, requests from the DNS-Server where blocked by our WatchGuard like such:

2019-04-15 14:50:38 M400-Member1 Deny 192.168.0.22 8.8.8.8 dns/udp 64088 53 0-Trusted 1-External ProxyDeny: DNS query type match (DNS-proxy-00) DNS-Outgoing proc_id="dns-proxy" rc="595" msg_id="1DFF-0006" proxy_act="DNS-Outgoing" rule_name="Default" query_type="NAPTR" Traffic

This message was repeated for all external DNS-Servers set as fowarders as well as for Zone masters. This process was then repeated multiple times for About 10 minutes - during this period, our DNS was locked up from answering other requests.

I already looked at the WatchGuard (Fireware 12.2) Settings and found that DNS type "NAPTR" (type Code 35) ist not included in the DNS Proxy and I cannot add it unless I create a new DNS Proxy which I would like to avoid. Further, I don't even know if the DNS Proxy is able to handle this type of request.

Does anybody know if the device can handle NAPTR requests? How do you handle this?

Thanks
PS
(profi ;-))

Comments

  • I don't see why you can't add Query Type 35 to an existing DNS proxy.
    I just tried it and I was able to add it to one of my DNS proxy policies.

  • Hm, Maybe I an going at it the wrong way:

    • from wihin the Firewall Policy Manager, I go to "Setup --> Actions --> Proxies" to open the list of defined "Proxy Actions".
    • There, I select "DNS-Outgoing" and, in the new screen "DNS Proxy Action Configuration (predefined)", the category "Query Types".
    • I add a new query type "NAPTR record" with query type 35 and Action "Allow" and hit OK to store my new type.
    • When I try to close the screen "DNS Proxy Action Configuration (predefined)" I get a message "A predefined or DVCP-created object cannot be modified. However, it can be cloned. If you want to clone it, please enter a unique Name and click OK. Otherwise, click cancel".

    Now, of course, I could simply store the configuration under a new name and assign it to the respective policy but I am not sure wether it needs to be applied elsewhere and if the WatchGuard supports DNS Type NAPTR or if this could cause trouble elsewehere. After all, NAPTR has been around for 10+ years, there has to be a reason it isn't supported out of the box.

  • Edit your existing DNS proxy policy, and add Query Type 35 to it with a name of NAPTR

  • Like I said, I am not allowed to do that: "A predefined or DVCP-created object cannot be modified. However, it can be cloned. If you want to clone it, please enter a unique Name and click OK. Otherwise, click cancel".

  • DVCP is a managed WSM Server function - used for managed VPNs and probably for Fully Managed configs.
    I don't use either.

  • Ricardo_ArroyoRicardo_Arroyo WatchGuard Representative

    Good morning @PSProfi. It sounds like you are using one of the default proxy actions included in Fireware. You cannot modify these actions. You need to clone it then modify your custom proxy action.

    Ricardo Arroyo | Sr. Technical Product Manager / ThreatSync Guru
    WatchGuard Technologies, Inc.

  • Hi Ricardo,
    thanks for your Reply. Can you please answer These two Questions?
    1) does the WatchGuard device support NAPTR type DNS reuqests?
    2) besides the polices in the list, do I have to switch to the custom Proxy Action anywhere else?
    Thanks

  • edited April 16

    1) not out of the box - only if you add Query Type 35 to a DNS proxy
    2) anytime you want to make a change to the default proxy action of any proxy type, you end up creating a custom proxy action

  • Ricardo_ArroyoRicardo_Arroyo WatchGuard Representative
    1. It should as long as you add it to the list of Allowed Query Types
    2. Not sure what you mean by "policies in the list." If you ever create a Proxy policy and decide the settings defined in any of the default proxy actions are insufficient and need to be changed, you always have to clone an existing action and make changes. This is most common for HTTP and HTTPS proxies. If you are happy with the settings defined in the default proxy actions, then there is not need to switch to a custom proxy action.

    Ricardo Arroyo | Sr. Technical Product Manager / ThreatSync Guru
    WatchGuard Technologies, Inc.

Sign In to comment.