DNS A/AAAA no response from Proxy

  • Hi Folks,

    My Google foo is lacking as I can find a few reference to my problem but now fix. Hopefully someone here will know the answer.

    I have just install an SSG-140 in my home lab, replacing an old NS-50, that is running the latest shinny ScreenOs 6.3r24. This acts as a NAT’ing FW for my network (LAN+DMZ) as the DHCP server and the DNS Proxy. The config was re-built from scratch i.e. not copied from the older 50

    My home Lab is IPv4 only, IPv6 is NOT turned on i.e. envar ipv6=no

    Since the move to the SSG I’m having an odd DNS issue with my Debian servers. On the Debian box if I do a vanilla DNS lookup I get a ‘name resolution failed’ style message. However is I force IPv4 i.e. ping -4 www.apple.com everything works a treat!

    Having now spent a lengthy amount of time on the problem I can see whats happening, although where the blame lies I cannot say.

    Wiresharking the link I see that when the Debian box box does a name query to the SSG everything goes over IPv4 as expected however by default the Debian box makes 2x query’s the first is for a standard iPv4 A record the second requesting an IPv6 AAAA record.

    In my PCAP I see NO response back at all from the SSG to this query.

    When I use the -4 switch on PING in my above example the Debian box now only sends 1x query, this being the standard IPv4 A record. The SSG DOES reply to this query hence name resolution works.

    So I’ve tried everything in the book to disable IPv6 on the Debian host however the default resolver still request a AAAA record which for some reason kills the proxy on the SSG.

    I’ve tried setting envar ipv6=yes then setting alg dns inhibit-aaaa-request  but the SSG still falls silent when presented with the two requests.

    As an interim fix I’ve disabled DNS in ALG and pointed my servers at but I’d prefer to revert back to the internal Proxy.

    Any guidance would be greatly appreciated.