L7 DNS Rule is Skipped Unexpectedly
search cancel

L7 DNS Rule is Skipped Unexpectedly

book

Article ID: 381316

calendar_today

Updated On:

Products

VMware NSX VMware NSX Firewall VMware vDefend Firewall

Issue/Introduction

A Layer 7 DNS rule has been configured to match DNS traffic. However, a Layer 4 rule below is matched instead. 

 

Expected rule:

rule 3315 at 9 inout protocol udp from addrset <src addrset> to addrset <dest addrset> port 53 with attribute profile <DNS Context Profile> accept with log;       <---- L7 Rule

 

Rule that is matched instead:

rule 3329 at 25 inout protocol udp from addrset <src addrset> to addrset <dest addrset> port 53 accept with log;     <----L4 Rule

Environment

VMware NSX (all versions)

Cause

An ICMP 'Destination Port Unreachable' message is observed between the client and server, suggesting a port or connectivity issue. As a result, the DNS query/response is incomplete, and the context engine does not recognize it as a valid DNS query.

 

Packet capture taken at DNS Server vNic:

Resolution

This is expected L7 DFW behavior. Address the port or connectivity issue between the client/server. 

Powered by Wolken Software