Jump to content
Welcome to our new Citrix community!

ADC GSLB and nslookup leaking Private IP Address


Recommended Posts

Hi, I have a scenario I was wondering if anyone else had any experience of seeing.

We have a 2 datacentre GSLB configuration representing an external SSL service hosted on the ADC, by means of the ADCs being authoritative for a delegated subdomain.
The GSLB configuration has the SSL service listed with it's internal IP address and it's Public IP address.  E.g.:

add gslb service <service-name> 192.168.1.1 SSL 443 -publicIP 123.123.123.123 -publicPort 443 -siteName <GSLB_Site>

All works as expected if the URL is typed into a client browser.
All works as expected if the command 'dig' is used to query the hostname name, returning the Public IP address.

 

If I use 'nslookup' to test, the Private IP address is displayed; but only when querying one Site.

I would rather the ADC did not leak private IP addresses.

 

Both ADCs have the same GSLB configuration.
The 'non-working' ADC is a VPX, the 'working' is an MPX.

 

Has anyone else come across this or could think of a way to stop it?

 

Thanks very much!

Link to comment
Share on other sites

Hi Carl, thanks for the quick response.  No nothing except default.

Default Global > Request - 'internal-dns-false-pol' with DNS-NOP Action

Is the only one set.

 

It is bizarre.  If I do a Wireshark trace from the same (Linux) client comparing a 'dig' request with a 'nslookup' request I can see the public (dig) private (nslookup) IP being returned as the A record!

Link to comment
Share on other sites

  • 2 weeks later...

You could implement DNS views and create policies for policing lookups to the internal view.  For example:

1. Create the DNS Views

   a. Internal

   b. External

 

2. Create policy action

   a. internalview ----This will reference the Internal view you create in step 1

   b. externalview----This will reference the External view you created in step 2

 

3. Create DNS policy that references the actions listed in step 2.

Example policy:

External: (!(CLIENT.IP.SRC.IN_SUBNET(10.0.0.0/8)||CLIENT.IP.SRC.IN_SUBNET(192.0.0.0/16)||CLIENT.IP.SRC.IN_SUBNET (172.0.0.0/12)))  Action: ExternalView  Note: this matches on all non-private IP address space

Internal: (CLIENT.IP.SRC.IN_SUBNET(10.0.0.0/8)||CLIENT.IP.SRC.IN_SUBNET(192.0.0.0/16)||CLIENT.IP.SRC.IN_SUBNET (172.0.0.0/12)) Action: internalview   Note: this matches on all private IP address space

 

4. In your GSLB service you add the DNS view and the address you want returned for each view. If you only want services to be respond internally for example, you just add the Internal view IP. If you want and internal and external address responded to you can add both. 

 

5. Apply the policies globally with the policy manager.

 

This is an effective way to limit what IP's get responded to whatever policy matches.

 

 

Link to comment
Share on other sites

  • 4 weeks later...
On 10/17/2022 at 5:31 PM, Manjesh N said:

Hello Stuart Griffiths,

 

This could be mostly of DNS Doctoring issue which is done by other network firewalls within the network. We could isolate the issue by disabling DNS Doctoring and let us know if that fix the issue.

 

Thanks,

@Manjesh N

Hi all, thanks for the responses.  @Manjesh N put us down the right path in this case via Citrix Support.

 

JunOS firewall (Juniper SRX) has a feature called 'DNS-Doctoring' which is enabled by default.  This affected the DNS UDP response, but not a TCP response.

When this was disabled the expected DNS response via the GSLB DNS service was seen. 

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...