When trying to rejoin the IWA Direct Windows Domain, it failed with the error below:

"A bad packet was received from a DNS server..."

There is a firewall between the proxy and the Windows AD.

Kerberos (UDP and TCP port 88), LDAP (TCP port 389), SMB (TCP port 445), and DNS (UDP port 53) services are being allowed on the firewall.

The issue is due to the DNS response (in UDP) that the proxy is getting truncated.

The pcap will show the following flags on the DNS response.

The flags 0x8780 indicate the message is truncated (even though Wireshark says "Standard query response, No error"). 

Usually, when this happens, the proxy will automatically fall back to DNS using TCP and try to connect back to the DNS server using TCP. However, in this case, the firewall is blocking the DNS on TCP, thus causing the issue.

On the firewall, make sure the DNS on TCP service is being allowed.