DNS ALG

The Oracle® Enterprise Session Border Controller’s DNS Application Layer Gateway (ALG) feature provides an application layer gateway for DNS transactions on the Oracle® Enterprise Session Border Controller. With DNS ALG service configured, the Oracle® Enterprise Session Border Controller can support the appearance of multiple DNS servers on one side and a single DNS client on the other.

Overview

DNS ALG service provides an application layer gateway for use with DNS clients. DNS ALG service allows a client to access multiple DNS servers in different networks and provides routing to/from those servers. It also supports flexible address translation of the DNS query/response packets. These functions allow the DNS client to query many different domains from a single DNS server instance on the client side of the network.

The Oracle® Enterprise Session Border Controller’s DNS ALG service is commonly used when a DNS client (such as a call agent) needs to authenticate users. In this case, the DNS client that received a message from a certain network would need to authenticate the endpoint in a remote network. Since the DNS client and the sender of the message are on different networks, the Oracle® Enterprise Session Border Controller acts as an intermediary by interoperating with both.

In the following diagram, the DNS client has received a message from an endpoint in Network A. Since the DNS client is in a different realm, however, the DNS client receives the message after the Oracle® Enterprise Session Border Controller has performed address translation. Then the DNS client initiates a DNS query on the translated address. The Oracle® Enterprise Session Border Controller forwards the DNS request to the DNS server in Network A, using the domain suffix to find the appropriate server. Network A’s DNS server returns a response containing its IPv4 address, and then the Oracle® Enterprise Session Border Controller takes that reply and performs a NAT on the private address. The private address is turned into a public one that the DNS client can use to authenticate the endpoint.

The DNS ALG service diagram is described above.

Configuring DNS ALG Service

This section tells you how to access and set the values you need depending on the configuration mechanism you choose. It also provides sample configurations for your reference.

Configuring DNS ALG service requires that you carry out two main procedures:

  • Setting the name, realm, and DNS service IP interfaces
  • Setting the appropriate parameters for DNS servers to use in other realms

Before You Configure

Before you begin to configure DNS ALG service on the Oracle® Enterprise Session Border Controller, complete the following steps.

  1. Configure the client realm that you are going to use in the main DNS ALG profile and note its name to use in this chapter’s configuration process.
  2. Configure the server realm that contains the DNS servers and note its name to use in this chapter’s configuration process.
  3. Determine the domain suffixes for the network where the DNS servers are located so that you can enter them in the domain suffix parameter.
  4. Devise the NAT scheme that you want to use when the DNS reply transits the Oracle® Enterprise Session Border Controller.

DNS ALG Service Name Configuration

This section explains how to configure the name of the DNS ALG service you are configuring and set its realm.

To add DNS ALG service:

  1. In Superuser mode, type configure terminal and press Enter. 
    ORACLE# configure terminal
  2. Type media-manager and press Enter. 
    ORACLE(configure)# media-manager
  3. Type dns-config and press Enter. The system prompt changes to let you know that you can begin configuring individual parameters. 
    ORACLE(media-manager)# dns-config
ORACLE(dns-config)#

    From this point, you can configure DNS ALG parameters and access this configuration’s DNS server subelement. To view all DNS ALG service parameters and the DNS server subelement, enter a ? at the system prompt. 

    dns-config
        client-realm
        description                    dns-alg1
        client-address-list
        last-modified-date             2005-02-15 10:50:07
        server-dns-attributes
                server-realm
                domain-suffix
                server-address-list
                source-address
                source-port                    53
                transaction-timeout            10
                        address-translation
                                server-prefix                  10.3.0.0/16
                                client-prefix                  192.168.0.0/16

Identity Realm and Interface Addresses

To configure the identity, realm, and IPv4 interface addresses for your DNS ALG profile:

  1. description—Set a name for the DNS ALG profile using any combination of characters entered without spaces. You can also enter any combination with spaces if you enclose the whole value in quotation marks. For example: DNS ALG service.
  2. client-realm—Enter the name of the realm from which DNS queries are received. If you do not set this parameter, the DNS ALG service will not work.
  3. client-address-list—Configure a list of one or more addresses for the DNS server interface. These are the addresses on the Oracle® Enterprise Session Border Controller to which DNS clients send queries.

    To enter one address in this list, type client-address-list at the system prompt, a Space, the IPv4 address, and then press Enter 

    ORACLE(dns-config)# client-address-list 192.168.0.2

    To enter more than one address in this list, type client-address-list at the system prompt, and a Space. Then type an open parenthesis ( ( ), each IPv4 address you want to use separated by a Space, and closed parenthesis ( ) ), and then press Enter. 

    ORACLE(dns-config)# client-address-list (192.168.0.2 196.168.1.1 192.168.1.2)

DNS Server Attributes

To configure attributes for the DNS servers that you want to use in the DNS ALG profile:

  1. In Superuser mode, type configure terminal and press Enter. 
    ORACLE# configure terminal
  2. Type media-manager and press Enter. 
    ORACLE(configure)# media-manager
  3. Type dns-config and press Enter. The system prompt changes to let you know that you can begin configuring individual parameters. 
    ORACLE(media-manager)# dns-config
  4. Type server-dns-attributes and then press Enter. 
    ORACLE(dns-config)# server-dns-attributes

    From this point, you can configure DNS server parameters. To see all parameters for the DNS server, enter a ? at the system prompt.

  5. server-realm—Enter the name of the realm in which the DNS server is located. This value is the name of a configured realm.
  6. domain-suffix—Enter a list of one or more domain suffixes to indicate the domains you want to serve. These values are matched when a request is sent to a specific DNS server. If you leave this list empty (default), then your configuration will not work.

    Note:

    If you want to use a wildcard value, you can start your entry to an asterisk ( * ) (e.g. *.com). You can also start this value with a dot (e.g., .com).

    To enter one address in this list, type client-address-list at the system prompt, a Space, the domain suffix, and then press Enter 

    ORACLE(server-dns-attributes)# domain-suffix acmepacket.com

    To enter more than one address in this list, type domain-suffix at the system prompt, and a Space. Then type an open parenthesis ( ( ), each IPv4 address you want to use separated by a Space, and closed parenthesis ( ) ), and then press Enter. 

    ORACLE(server-dns-attributes)# domain-suffix (acmepacket.com acmepacket1.com acmepacket2.com)
  7. server-address-list—Enter a list of one or more DNS IPv4 addresses for DNS servers. These DNS servers can be used for the domains you specified in the domain suffix parameter. Each domain can have several DNS servers associated with it, and so you can populate this list with multiple IPv4 addresses. If you leave this list empty (default), your configuration will not work.
  8. source-address—Enter the IPv4 address for the DNS client interface on the Oracle® Enterprise Session Border Controller. If you leave this parameter empty (default), your configuration will not work.
  9. source-port—Enter the number of the port for the DNS client interface on the Oracle® Enterprise Session Border Controller. The default value is 53. The valid range is:

    • Minimum—1025

    • Maximum—65535

  10. transaction-timeout—Enter the time in seconds that the ALG should keep information to map a DNS server response back to the appropriate client request. After the transaction times out, further response to the original request will be discarded. The default value is 10. The valid range is:

    • Minimum—0

    • Maximum—999999999

  11. address-translation—Enter a list of address translations that define the NAT function for the DNS servers.

    You can access the NAT parameters for the DNS servers by typing address-translation and pressing enter within the DNS server attributes configuration. 

    ORACLE(dns-config)# server-dns-attributes
ORACLE(server-dns-attributes)# address-translation

    To configure the NAT, enter two values:

    • server-prefix: address/prefix that will be returned by the DNS server

    • client-prefix: address/prefix that to which a response is returned

      Each of these is a two-part value:

    • IPv4 address

    • Number of bits indicating how much of the IPv4 address to match

      If you do not specify the number of bits, then all 32 bits of the IPv4 address will be used for matching. If you set the number of bits to 0, then the address will simply be copied.

      For example, if you set the server prefix to 10.3.17.2/16 and the client prefix to 192.168.0.0/16, then the Oracle® Enterprise Session Border Controller will return an address of 192.168.17.2 to the DNS client. 

      ORACLE(server-dns-attributes)# address-translation
ORACLE(address-translation)# server-prefix 10.3.17.2/16
ORACLE(address-translation)# client-prefix 192.168.0.0/16

DNS Transaction Timeout

To provide resiliency during DNS server failover, you can now enable a transaction timeout for DNS servers. If you have endpoints that are only capable of being configured with a single DNS server, this can allow DNS queries to be sent to the next configured server—even when contacting the Oracle® Enterprise Session Border Controller’s DNS ALG on a single IP address. So when the first server in the list times out, the request is sent to the next server in the list.

The Oracle® Enterprise Session Border Controller uses the transaction timeout value set in the dns-server-attributes configuration (part of the dns-config).

DNS Transaction Timeout Configuration

To enable the DNS transaction timeout:

  1. In Superuser mode, type configure terminal and press Enter. 
    ORACLE# configure terminal
ORACLE(configure)#
  2. Type media-manager and press Enter 
    ORACLE(configure)# media-manager
ORACLE(media-manager)#
  3. Type media-manager and press Enter. 
    ORACLE(media-manager)# media-manager
ORACLE(media-manager-config)#
  4. dnsalg-server-failover—Change this parameter from disabled (default) to enabled to allow DNS queries to be sent to the next configured server—even when contacting the Oracle® Enterprise Session Border Controller’s DNS ALG on a single IP address. So when the first server in the list times out, the request is sent to the next server in the list. The Oracle® Enterprise Session Border Controller uses the transaction timeout value set in the dns-server-attributes configuration (part of the dns-config).
  5. Save your work.

Dynamic ACL for the HTTP-ALG

The dynamic Access Control List (ACL) option for HTTP-Application Layer Gateway (ALG) provides Distributed Denial of Service (DDoS) attack protection for the HTTP port.

When you enable the dynamic ACL option, the system sets the trust level for static flow for the public listening socket defined in http-alg, public to untrusted. Each listening socket creates and manages its ACL list, which allows the listening socket to keep track of the number of received and invalid messages, the number of connections per endpoint, and so on. You can configure a different setting for each http-alg object.

Dynamic ACL for each endpoint is triggered by Session Initialization Protocol (SIP) registration messages. Upon receiving a SIP registration message, the SIP agent creates a dynamic ACL entry for the endpoint. If the 200 OK response is received, the ACL is promoted, allowing the HTTP message to go through the security domain. If SIP registration is unsuccessful, the ACL entry is removed and HTTP ingress messages are blocked from the endpoint. The ACL entry is removed upon incomplete registration renewal or telephone disconnect.

The following example describes the criteria and associated configuration item that result in a denied or allowed connection for both low and medium control levels.

Criteria Associated Configuration Item Action
Exceed total number of connections for allowed http-alg, max-incoming-conns Connection denied
Exceed total connections per peer http-alg, per-src-ip-mas-incoming-conns Connection denied
ACL not promoted Dynamically set on SIP registration Connection denied
Exceed maximum number of packets/sec realm-config, maximum-signal-threshold Connection denied and peer is promoted
Exceed maximum number of error packets Realm-config, invalid-signal-threshold Connection denied and peer is promoted

Oracle recommends setting realm-config, access-control-level to medium.

If a peer is promoted to trusted, the system performs DDoS checks on max number of packets/sec and max number of error packets allowed.

Demotions depend on the ream-config, access-control-trust-level setting for the realm. For more information on realm-config settings, see the ACLI Configuration Guide.

If you want to configure different ACL settings for SIP traffic and for HTTP-ALG traffic, you must configure a realm for each type of traffic.

Dynamic Access Control List (ACL) Settings for the HTTP Application Layer Gateway (ALG)

You can set the following parameters for the realm specified in http-alg, public, realm-id.
  • access-control-trust-level
  • invalid-signal-threshold
  • maximum-signal-threshold
  • untrusted-signal-threshold
  • deny-period

For more information on realm-config settings, see the ACLI Configuration Guide.

Enable Dynamic Access Control List (ACL) for the HTTP Application Layer Gateway (ALG)

Dynamic ACL option, which provides Distributed Denial of Service (DDoS) attack protection for the HTTP port, is an option that you must enable.

Confirm that the session manager is mapped to the Oracle® Enterprise Session Border Controller.
Two ACL entires are required for each registered telephone, where one entry is used for SIP traffic and one is used for HTTP-ALG traffic.

Note:

Enabling dynamic access control for HTTP-ALG traffic reduces the number of available dynamic ACL entries on the session border controller, which may reduce the number of concurrent trusted endpoints that the system can support.
  1. From the command line, type configure terminal, and press ENTER.
  2. Type session-router, and press ENTER.
  3. Type http-alg, and press ENTER.
    The system displays a list of configured HTTP-ALG objects.
  4. Type the number of the HTTP-ALG object that you want to edit, and press ENTER.
    The system displays the configuration values for the selected object.
  5. Type dynamic-acl enabled, and press ENTER.
  6. Optional. Type max-incoming-conns <value>, and press ENTER to set the maximum number of connections per peer IP address.
  7. Optional. Type per-src-ip-max-incoming-conns <value>, and press ENTER to set the maximum number of HTTP connections per peer IP address.
  8. Type Done, and press ENTER to save the HTTP-ALG values.
    The system displays the HTTP-ALG configuration.
  9. Exit, Save, and Activate the configuration.
Previous
Previous 		Next
Next
Go To Table Of Contents
Contents