Got it
Huawei Enterprise Support Community
Community Forums Security
Move 9: A DNS Issue in th...

Move 9: A DNS Issue in the Multi-egress Equal-cost Route Scenario

Latest reply: Sep 16, 2020 18:26:41 1998 6 1 0 0
View the author 1#
                          Figure 1-1 Multi-egress equal-cost route DNS networking diagram
                          

20161019163451914001.png

Figure 1-1 shows a typical multi-egress scenario. The firewall implements multi-egress load balancing based on configured equal-cost routes.

<sysname> display ip route-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
    Destinations : 13   Routes : 14
 
Destination/Mask    Proto   Pre  Cost     Flags NextHop         Interface
 
        0.0.0.0/0   Static  60   0          RD  1.1.1.254       GigabitEthernet1/0/2
                    Static  60   0          RD  2.2.2.254       GigabitEthernet1/0/3

When the firewall acts as a DNS proxy or the firewall itself needs to access a domain name (such as sec.huawei.com), the firewall constructs a DNS request packets and sends it to the upper-layer DNS server. In the multi-egress equal-cost route scenario, the outbound interface IP address of the first equal-cost route is used as the source IP address of DNS request packets. In this example, the outbound interface of the first equal-cost route is GE1/0/2 and the source IP address of DNS request packets is 1.1.1.1.

According to information in the session table, no matter if the DNS request packets are sent from GE1/0/2 or GE1/0/3, the source IP address of packets is 1.1.1.1.

<sysname> display firewall session table verbose destination-port 53 
 Current Total Sessions : 4
  dns  VPN:public --> public  ID: a38f3fc36f13813d56f9990e
  Zone: local--> untrust  TTL: 00:00:30  Left: 00:00:12  
  Output-interface: GigabitEthernet1/0/3  NextHop: 2.2.2.254  MAC: 00-e0-fc-00-00-12
  <--packets:0 bytes:0   -->packets:1 bytes:59
  1.1.1.1:55151-->114.114.114.144:53
 
  dns  VPN:public --> public  ID: a48f3fc36efa0327856f99909
  Zone: local--> untrust  TTL: 00:00:30  Left: 00:00:07  
  Output-interface: GigabitEthernet1/0/3  NextHop: 2.2.2.254  MAC: 00-e0-fc-00-00-12
  <--packets:0 bytes:0   -->packets:1 bytes:59
  1.1.1.1:54677-->8.8.8.8:53
 
  dns  VPN:public --> public  ID: a58f3fc36f2d03896d56f99913
  Zone: local--> untrust  TTL: 00:00:30  Left: 00:00:17  
  Output-interface: GigabitEthernet1/0/2  NextHop: 1.1.1.254  MAC: 00-e0-fc-00-00-13
  <--packets:1 bytes:90   -->packets:1 bytes:59
  1.1.1.1:52936-->8.8.8.8:53
                                          
  dns  VPN:public --> public  ID: a58f3fc36f4686cafb56f99918
  Zone: local--> untrust  TTL: 00:00:30  Left: 00:00:22  
  Output-interface: GigabitEthernet1/0/2  NextHop: 1.1.1.254  MAC: 00-e0-fc-00-00-13
  <--packets:1 bytes:91   -->packets:1 bytes:59
  1.1.1.1:52562-->114.114.114.144:53

In this case, the source IP address of DNS request packets sent from GE1/0/3 connected to ISP2 network is the IP address of ISP1 network and therefore the packet may discarded by ISP2 network. To avoid this issue, you need to configure source NAT in easy-IP mode to translate the source IP address of DNS request packets into the IP address of the outbound interface to ensure that the source IP address of DNS request packets is the IP address of the outbound interface.

Configure as follows:

[sysname] nat-policy
[sysname-policy-nat] rule name dns                                       
[sysname-policy-nat-rule-dns] source-zone local      //The source zone is local                    
[sysname-policy-nat-rule-dns] destination-zone untrust                   
[sysname-policy-nat-rule-dns] destination-address 8.8.8.8 32     //The destination IP address is the IP address of DNS server      
[sysname-policy-nat-rule-dns] destination-address 114.114.114.114 32    
[sysname-policy-nat-rule-dns] action nat easy-ip

After the preceding configurations, the source IP address of DNS request packets is translated into the IP address of the outbound interface. The session table is as follows:

<sysname> display firewall session table verbose destination-port 53 
Current Total Sessions : 2
  dns  VPN:public --> public  ID: a58f3fc0056a05463056fa50de                    
  Zone: local--> untrust  TTL: 00:00:30  Left: 00:00:07                         
  Output-interface: GigabitEthernet1/0/2  NextHop: 1.1.1.254  MAC: 00-e0-fc-00-0
0-13                                                                             
  <--packets:1 bytes:87   -->packets:1 bytes:59                                  
  1.1.1.1:53721[1.1.1.1:2052]-->8.8.8.8:53                                      
                                                                                 
  dns  VPN:public --> public  ID: a58f3fc0059d05cd8156fa50e8                    
  Zone: local--> untrust  TTL: 00:00:30  Left: 00:00:17                         
  Output-interface: GigabitEthernet1/0/3  NextHop: 2.2.2.254  MAC: 00-e0-fc-00-0
0-12                                                                            
  <--packets:1 bytes:89   -->packets:1 bytes:59                                  
  1.1.1.1:51979[2.2.2.2:2053]-->8.8.8.8:53      

This post was last edited by dr.wow at 2016-10-19 08:36.

This article contains more resources

You need to log in to download or view. No account? Register

x

Like (1) Dislike (0) Favorite(0) Share Report
Previous: Move 8: What Should I Do if My Laptop Does Not Have a Serial Port and Cannot Connect to the Device? Use a Mini USB Port.
Next: LPU service
(0) (0)
2#
user_2790689
Created Oct 19, 2016 12:13:38

Good
View more
  • x
  • convention:
(0) (0)
3#
andersoncf1
MVE Author Created Sep 9, 2020 21:21:23

Good explanation
View more
  • x
  • convention:
(0) (0)
4#
gabo.lr
Created Sep 13, 2020 12:34:55

Thank you for sharing!
View more
  • x
  • convention:
(0) (0)
5#
simchamnan
Created Sep 13, 2020 12:39:27

Good
View more
  • x
  • convention:
(0) (0)
6#
NikoleT
Created Sep 14, 2020 23:36:43

Thank you for the information  
View more
  • x
  • convention:
(0) (0)
7#
ulrichwandja
Created Sep 16, 2020 18:26:41

great
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.