Juniper ScreenOS DNS Application Layer Gateway Madness
You have a custom application that performs DNS queries, but does not follow security best practices to at least randomize the source port of those queries. Business must go on, so you secure this connectivity via a site-to-site VPN. So, you need to make an exception to your Juniper ALG.
By default, DNS traffic, running on UDP port 53, is handled with the ALG (Application Layer Gateway) feature on the firewall. Therefore, a DNS session is aged out differently compared to a normal UDP session (Source: Juniper KB12312). Let’s walk through how to implement a fix for this one outlier.
Solution in 5 Steps:
- Find the policy:
- Adjust the offending policy:
- Test and see the difference.
- Remember to save!
- Celebrate fault application workaround with coffee. ☕️