EDNS0 Queries not working through Firewalls

Running EDNS0 queries timeout with error as shown in in screenshot.

• Palo Alto Firewalls
• PAN-OS 9.1.x or higher.
• PA firewalls between DNS server and client with EDNS0 feature.

This issue may be caused by one or more of following:

• DNS proxy enabled on PA firewall with option " cache EDNS Response " checked.
• Spyware security profile with DNS security enabled. 
• Zone protection profile with fragment traffic option enabled under packet-based attack protection. 
• EDNS0 packet being oversized compared to normal DNS causing fragmentation on networking devices. 

1. Verify if DNS proxy is configured with option "cache EDNS0 Responses" enabled under advanced> cache 

2. Run the following commands to check global counter to check the DNS packet drops i-e "ctd_dns_wait_pkt_drop" and ip fragmenattion.. Repeat the commands multiple times while testing 
 

debug dataplane packet-diag clear filter-marked-session all
debug dataplane packet-diag set filter match source ip1 destination ip2
debug dataplane packet-diag set filter match source ip2 destination ip1
debug dataplane packet-diag set filter on 
show counter global filter delta yes | match "dns"
show counter global filter delta yes | match "ctd_dns_wait_pkt_drop"
show counter global filter delta yes | match "ipfrag"

3. If spyware security profile with DNS security is enabled then disable and check the queries. 

4. Zone protection profile with fragment traffic option enabled under packet-based attack protection then disable it and test 

5. One can also create application override for the DNS application to verify.

6. If no relevant counters are seen on firewall and with above troubleshooting, Packet captures can be taken to look for IP fragmentation query and response.

• Example of captures:

• Example of successful EDNS0 query via firewall:

• Captures show firewall receiving, processing, transmitting and receiving response back.
• If you do not see any response received on firewall, then check upstream devices involved as EDNS0 is not widely supported by network devices so far hence may drop it due to fragmentation issue or packet being oversized with DF bit turned on etc or could be an asymmetric routing issue.
• If response is received on firewall but still client DNS server is not seeing the response, then verify if DF bit (do not fragment bit) is turned on in the response packet and firewall is dropping it.
• Furthermore, detailed packet captures i-e flow basic, app-id may be required to run to see have more insight into it if firewall is receiving and dropping it. For further assistance open a Support case.