Hi Folks,
My Google foo is obviously lacking as I can find a few references to my problem but no fix. Hopefully someone here will know the answer.
I have just installed an SSG-140 in my home lab, replacing an old NS-50, that is running the latest greatest ScreenOs 6.3r24 (Part of the reason for the move). This acts as a NAT'ing FW for my network (LAN+DMZ) as the DHCP server and the DNS Proxy. The config was re-built from scratch i.e. not copied from the older 50
My home Lab is IPv4 only, IPv6 is _NOT_ turned on i.e. envar ipv6=no
Since the move to the SSG I'm having an odd DNS issue with my Debian servers. On the Debian box if I do a vanilla DNS lookup I get a 'name resolution failed' style message. However if I force just the use of IPv4 i.e. ping -4 www.apple.com everything works a treat!
Having now spent a lengthy amount of time on the problem I can see whats happening, although where the blame lies I cannot say.
Wiresharking the link I see that when the Debian box does a name query to the SSG everything goes over IPv4 as expected however by default the Debian box makes 2x query's, the first is for a standard iPv4 A record the second requesting an IPv6 AAAA record.
In my PCAP I see _NO_ response back at all from the SSG to these.
When I use the -4 switch on PING in my example the Debian box now only sends 1x query, this being the standard IPv4 A record. The SSG _DOES_ reply to this query hence name resolution works.
So I've tried everything in the book to disable IPv6 on the Debian host however the default resolver still requests a AAAA record which for some reason results in silence from the proxy on the SSG.
I've tried setting envar ipv6=yes then setting alg dns inhibit-aaaa-request but the SSG still sits silent when presented with the two requests.
As an interim fix I've disabled DNS in ALG and pointed my servers at 8.8.8.8 but I'd prefer to revert back to the internal Proxy.
Any guidance would be greatly appreciated.
Simon
↧
DNS A/AAAA no response from Proxy
↧