Technical Tip: Locally generated traffic for DNS not matching SD-WAN rule with source address configured
Description
This article describes the scenario where an SD-WAN rule for locally generated DNS traffic is configured with the source address, the traffic will not be matched to the SD-WAN rule unless 'source-ip' is not defined under ‘config system dns’.
Alternatively, to match the SD-WAN rule for DNS traffic, the source address configured has to be removed.
Scope
For version 6.2.4 and onward.
Solution
Configuration.
config system virtual-wan-link
set status enable
config members
edit 1
set interface "wan1"
set gateway 10.191.19.1
next
edit 2
set interface "wan2"
set gateway 10.191.35.1
next
end
config service
edit 2
set name "dns"
set mode sla
set dst "all"
set src "10.191.35.75" "10.191.19.75"
config sla
edit "internet"
set id 1
next
end
set priority-members 2 1
next
end
end
DNS Configuration.
config system dns
set primary 208.91.112.52
set interface-select-method sdwan
end
With the new command introduced in v6.2.4, a method can be selected for locally originated traffic.
It can either be SD-WAN, auto, or a specific interface (see related article).
Having interface-select-method as SD-WAN under DNS configuration, the traffic has to match the SD-WAN rule.
However, since there is no source-ip defined under ‘config system dns’, it will not.
diagnose firewall proute list
list route policy info(vf=root):
id=0x7f060001 vwl_service=1(DNS) vwl_mbr_seq=1 2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=11 oif=7
source(2): 10.191.35.75-10.191.35.75 10.191.19.75-10.191.19.75
destination(1): 208.91.112.52-208.91.112.52
hit_count=0 last_used=2020-07-03 15:45:15
Note.
If there is no 'source-ip' defined under 'config system dns' before matching the SD-WAN rule, DNS does not know which source to use, and 'source-ip' field will be 0 and will not match that rule.
Solution.
- Configure 'source-ip' under ‘config system dns’ and use that as a source in the SD-WAN rule.
DNS config:
config system dns
set primary 208.91.112.52
set source-ip 10.191.19.75
set interface-select-method sdwan
end
SD-WAN config.
config system virtual-wan-link
config service
edit 2
set name "dns"
set mode sla
set dst "all" <----- Destination as all.
set src "10.191.19.75” <----- Define source.
next
end
end
diagnose firewall proute list
list route policy info(vf=root):
id=0x7f080001 vwl_service=1(DNS) vwl_mbr_seq=1 2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=11 oif=7
source(2): 10.191.19.75-10.191.19.75
destination(1): 0.0.0.0-255.255.255.255
hit_count=15 last_used=2020-07-09 09:52:01
This is not an ideal solution in scenarios where the configuration has multiple SD-WAN interfaces and a dynamic DNS 'source-ip' selection is required. -
Avoid using source in the SD-WAN rule and use destination instead with IP of DNS server.
SD-WAN config:
config system virtual-wan-link
config service
edit 2
set name "dns"
set mode sla
set dst " 208.91.112.52" <----- Define DNS server here.
set src "all” <----- Configure source as all.
next
end
end
The traffic will match with the SD-WAN rule then.
diagnose firewall proute list
list route policy info(vf=root):
id=0x7f070001 vwl_service=1(DNS) vwl_mbr_seq=1 2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=11 oif=7
source(1): 0.0.0.0-255.255.255.255 <---- Source removed.
destination(1): 208.91.112.52-208.91.112.52
hit_count=2 last_used=2020-07-03 15:47:14
Related document:
system dns
Related Article:
Technical Tip: Functionality of 'set interface-select-method' for local-traffic with SD-WAN