DNS-Proxy - Oversized Question - AD Client not registering in AD DNS.

Hi Guys,

When using a DNS Proxy between VLAN's there is a problem when a client needs to register itself against DNS, with the Watchguard throwing a DNS oversized question error and the client not appearing in the Active Directory DNS console.

Commands:

  • ipconfig /registerdns
2022-01-07 12:20:59 FIREWALL01 Allow 192.168.50.20 192.168.1.10 dns/tcp 61681 53 Limited Access LAN Allowed 52 127 (DNS-PROXY-00)  proc_id="firewall" rc="100" msg_id="3000-0148" tcp_info="offset 8 S 872042574 win 61690" Traffic
2022-01-07 12:20:59 FIREWALL01 Allow 192.168.50.20 192.168.1.10 dns/udp 61994 53 Limited Access LAN Allowed 71 127 (DNS-PROXY-00)  proc_id="firewall" rc="100" msg_id="3000-0148"   Traffic
2022-01-07 12:20:59 FIREWALL01 Allow 192.168.50.20 192.168.1.10 dns/udp 65470 53 Limited Access LAN Allowed 132 127 (DNS-PROXY-00)  proc_id="firewall" rc="100" msg_id="3000-0148"  Traffic
2022-01-07 12:20:59 FIREWALL01 **Deny** 192.168.50.20 192.168.1.10 dns/tcp 61681 53 Limited Access LAN ProxyDeny: **DNS oversized question**   (DNS-PROXY-00)  proc_id="dns-proxy" rc="595" msg_id="1DFF-0008"  Traffic

When using a DNS Packet filter this issue isn't present and the client will register itself successfully.

2022-01-07 12:15:59 FIREWALL01 Allow 192.168.50.20 192.168.1.10 dns/tcp 58283 53 Limited Access LAN Allowed 52 127 (DNS-PACKETFILTER-00)  proc_id="firewall" rc="100" msg_id="3000-0148" tcp_info="offset 8 S 1645953690 win 61690" Traffic
2022-01-07 12:15:59 FIREWALL01 Allow 192.168.50.20 192.168.1.10 dns/udp 51236 53 Limited Access LAN Allowed 71 127 (DNS-PACKETFILTER-00)  proc_id="firewall" rc="100" msg_id="3000-0148" Traffic
2022-01-07 12:15:59 FIREWALL01 Allow 192.168.50.20 192.168.1.10 dns/udp 52607 53 Limited Access LAN Allowed 71 127 (DNS-PACKETFILTER-00)  proc_id="firewall" rc="100" msg_id="3000-0148" Traffic
2022-01-07 12:15:59 FIREWALL01 Allow 192.168.50.20 192.168.1.10 dns/udp 53609 53 Limited Access LAN Allowed 132 127 (DNS-PACKETFILTER-00)  proc_id="firewall" rc="100" msg_id="3000-0148"   Traffic
2022-01-07 12:15:59 FIREWALL01 Allow 192.168.50.20 192.168.1.10 dns/udp 63614 53 Limited Access LAN Allowed 253 127 (DNS-PACKETFILTER-00)  proc_id="firewall" rc="100" msg_id="3000-0148" Traffic

If the client has already registered itself against DNS and you re-instate the DNS Proxy rule everything is fine:

2022-01-07 12:36:07 FIREWALL01 Allow 192.168.50.20 192.168.1.10 dns/udp 54993 53 Limited Access LAN Allowed 71 127 (DNS-PROXY)  proc_id="firewall" rc="100" msg_id="3000-0148" Traffic
2022-01-07 12:36:07 FIREWALL01 Allow 192.168.50.20 192.168.1.10 dns/udp 58379 53 Limited Access LAN Allowed 156 127 (DNS-PROXY)  proc_id="firewall" rc="100" msg_id="3000-0148" Traffic
2022-01-07 12:36:07 FIREWALL01 Allow 192.168.50.20 192.168.1.10 dns/udp 58435 53 Limited Access LAN Allowed 132 127 (DNS-PROXY)  proc_id="firewall" rc="100" msg_id="3000-0148" Traffic
2022-01-07 12:36:07 FIREWALL01 Allow 192.168.50.20 192.168.1.10 dns/udp 64875 53 Limited Access LAN Allowed 71 127 (DNS-PROXY)  proc_id="firewall" rc="100" msg_id="3000-0148" Traffic


Until you delete the record out of the Active Directory DNS zone, then you get another DNS-Oversize Question when you re-run the ipconfig /registerdns command as the client tries to register itself again.

2022-01-07 12:40:33 FIREWALL01 Allow 192.168.50.20 192.168.1.10 dns/tcp 61635 53 Limited Access LAN Allowed 52 127 (DNS-PROXY)  proc_id="firewall" rc="100" msg_id="3000-0148" tcp_info="offset 8 S 1091383485 win 61690"   Traffic
2022-01-07 12:40:33 FIREWALL01 Allow 192.168.50.20 192.168.1.10 dns/udp 57375 53 Limited Access LAN Allowed 71 127 (DNS-PROXY)  proc_id="firewall" rc="100" msg_id="3000-0148" Traffic
2022-01-07 12:40:33 FIREWALL01 Allow 192.168.50.20 192.168.1.10 dns/udp 63557 53 Limited Access LAN Allowed 132 127 (DNS-PROXY)  proc_id="firewall" rc="100" msg_id="3000-0148" Traffic
2022-01-07 12:40:33 FIREWALL01 **Deny **192.168.50.20 192.168.1.10 dns/tcp 61635 53 Limited Access LAN ProxyDeny: **DNS oversized question**   (DNS-PROXY)  proc_id="dns-proxy" rc="595" msg_id="1DFF-0008" Traffic

I have flipped all settings to allow and none of them correct the Oversize Question error. This appears to be something in the backend that at this point is not configurable. Is there anything that can be amended so that a DNS proxy can be used between VLANs and domain joined machines?

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @DaveDave
    The DNS proxy is really only designed to allow DNS queries and prevent things like zone transfers as well as other protocols using DNS' port to bypass content restrictions. A client trying to register itself to AD DNS is going to be quite different (and larger.)

    For AD DNS registrations, you'll need to use a DNS packet filter (I'd suggest making a rule to the specific DNS server vice network to network.)

    -James Carson
    WatchGuard Customer Support

Sign In to comment.