Watchguard DNS Invalid Response Problem

Firebox X750eI’ve previously written about a slight problem caused by our Watchguard X750e firewall at the office. I still think it’s a great piece of hardware, but I occasionally run into little snafus like this one with Google Maps. I couldn’t find the info I needed on Google to fix this, so I had to figure it out on my own.

I’ve always known Google Maps to be a little quirky from the two computers I use while at work, but never thought to track down what was causing it. By quirky, I mean that more often than not, I would be left map-less and would have to do a hard refresh multiple times before it would draw the map or load the satellite imagery. After popping open the console today to see what Watchguard has to say about the problem, this is the log entry I see:

2008-02-12 09:21:21 Deny 192.168.1.2 216.239.32.10 dns/udp 1059 53 1-Trusted 0-External ProxyDeny: DNS Invalid response (DNS-00) src_ip_nat=”66.20.xxx.xxx” src_port_nat=”14340″ proxy_act=”DNS-Outgoing”

In the above, 192.168.1.2 represents my internal DNS server, 216.239.32.10 is a DNS server apparently owned by Google, and 66.20.xxx.xxx is the outward facing interface on our firewall. What really struck me as odd about this, was that my internal DNS should only be querying the DNS servers at AT&T – not at Google. After a little trial and error, I found that I just needed to modify one setting in the default Watchguard DNS proxy to make this work. By default, this policy is aptly named “DNS” in your Fireware Policy Manager.

  1. Open the DNS policy and go to the “Properties” tab
  2. Next to the “Proxy action:” drop-down dialog, click the “View/Edit Proxy” button
  3. In the “General” section, under “Protocol Anomaly Detection Rules” change the drop-down next to “Not of class Internet” to “Allow” and click OK
  4. When prompted, give your newly-modified proxy settings a new name and save them
  5. Click OK to close the “Edit Policy Properties” dialog
  6. Save your new policy changes to your Firebox

I hope someone else finds this useful.

Note: At this point, I have no real idea exactly what the setting means, but it has fixed my problem and I haven’t seen any further side-effects. If anyone “in-the-know” thinks that allowing those queries is a problem, please let me know. I take no responsibility for any issues this may cause on your network.