Stuff I'm Up To

Technical Ramblings

JunOS SRX too clever for it’s own good! — July 28, 2017

JunOS SRX too clever for it’s own good!

Today the planned migration from a Juniper ScreenOS SSG to a JunOS SRX didn’t quite go as smoothly as I’d have liked.

We spent many hours last night and this morning trying to figure out why numerous services that worked fine through the SSG firewall failed through the SRX. This despite me having triple checked the rule sets matched exactly from one system to the other.

We ended up making changes to connected systems to resolve the problems as workarounds but this was far from ideal. The eventual culprit turned out to be a default feature that is enabled on the SRX within the default application junos-dns-udp.

Continue reading

Advertisements
Can’t ping using FQDN — July 21, 2017

Can’t ping using FQDN

I’ve run across this a few times now. It seems every time I do a big Linux upgrade I lose the ability to connect to an internal server using its FQDN. I can ping the short name, I can do a DNS resolution of the FQDN, but I just can’t connect to it using RDP and can’t ping it using its FQDN.

This is something to do with the domain name being .local and conflicting with the MDNS service. Not sure exactly what but it’s an easy fix.

All you need do is adjust the order of the name service lookups in the /etc/nsswitch.conf file and make sure dns comes before the mdns entry.

$ sudo vi /etc/nsswtch.conf
...
hosts: files myhostname dns mdns4_minimal [NOTFOUND=return]

Initially I found the dns was last in the list so just move it in front of the mdns4_minimal entry and you’re set.

Windows DKIM DNS Entry — November 24, 2016

Windows DKIM DNS Entry

Windows always gives me a bit of grief when trying anything a little out of the ordinary. I always find doing the same thing on Linux way simpler. This time it was relating to a DNS TXT entry for DKIM that is longer than 255 characters.

As we have a split DNS system out external DNS entries need to be manually mirrored internally. This is because often the DNS reply is different if you’re from an internal network to that of an external one.

The 255 character limit was no problem for the external system. It parsed the string and split it into the required elements automatically. Internally you MUST split it yourself and enter it into the Windows DNS server as separate lines, delimited with a carriage return.

Using DIG I could see the response from outside being returned correctly. But from inside it took me a few attempts to get Windows to leave it alone and make the entry the same.

Continue reading