I already mentioned in an older post that Juniper implements sometimes features not completely. Its quite often that the implement features besides their core functions of firewalling and intrusion detection,intrusion prevention at their SSG platforms. I reported in one of my older posts that proxy DNS (also called split DNS) was only implemented for name lookup and not for reverse lookup. This caused trouble with applications like SSH or Unix r* tools which use reverse lookups.
I will now add another issue of the DNS proxy function today. During troubleshooting with Windows clients behind a Juniper running DNS proxy, I found that the Juniper SSG520 only supports udp based DNS queries. In some environments this might work. In my case the Windows 2000 clients and servers query the Juniper DNS proxy server for the domain name like foo.com to get an list of all domain controllers and mail exchangers. THe Juniper forwards this request to the correct DNS server and the server response with udp to client via the Juniper DNS proxy. But in my case the DNS response is to long for UDP and the trunkated flag is set. The windows client or server now detects by this flag that the DNS response is not complete and runs the same query now based on TCP. At this moment the client runs into an timeout, because the Juniper DNS proxy implementation does not respond to TCP based DNS queries.
I opened an JTAC case for this issue and referenced to the RFC for DNS, which explains TCP DNS. The only answer from JTAC second level was: ScreenOS supports only UDP DNS. If we need TCP DNS, than we should start an feature request. Case closed!
No comment!