https://community.cisco.com/t5/network-security/cisco-asa-defaults-for-dns-inspection/m-p/4392651#M1080264 <P>is this HA or standalone, if this was there before adding the command not going to harm?</P> <P>&nbsp;</P> <P>before adding, do you see any issue with the DNS?</P> <P>&nbsp;</P> Sun, 25 Apr 2021 00:34:43 GMT balaji.bandi 2021-04-25T00:34:43Z https://community.cisco.com/t5/network-security/cisco-asa-defaults-for-dns-inspection/m-p/4392647#M1080263 <P>Hello,</P><P>&nbsp;</P><P>I have a question regarding DNS inspection on the ASA.</P><P>&nbsp;</P><P>Would it make a difference running the DNS inspection without preset_dns_map ?</P><P>&nbsp;</P><P>I migrated my ASA newly from 9.4 to 9.8.4.34 and in the configurations I can see the below :</P><P>&nbsp;</P><PRE>policy-map global_policy class inspection_default &nbsp;&nbsp;inspect dns</PRE><P>I don't see the below in my configuration at all.</P><PRE>policy-map type inspect dns preset_dns_map</PRE><P>&nbsp;I don't have any special Parameters in use.</P><P>&nbsp;</P><P>So the question Do I need to copy the configuration from another ASA , to have the below parameters , or Its enabled by default with the DNS inspection and the purpose of preset_dns_map is to have customize it if needed ?</P><P>&nbsp;</P><UL><LI><P class="p">The maximum DNS message length is 512 bytes.</P></LI><LI><P class="p">DNS over TCP inspection is disabled.</P></LI><LI><P class="p">The maximum client DNS message length is automatically set to match the Resource Record.</P></LI><LI><P class="p">DNS Guard is enabled, so the ASA tears down the DNS session associated with a DNS query as soon as the DNS reply is forwarded by the ASA. The ASA also monitors the message exchange to ensure that the ID of the DNS reply matches the ID of the DNS query.</P></LI><LI><P class="p">Translation of the DNS record based on the NAT configuration is enabled.</P></LI><LI><P class="p">Protocol enforcement is enabled, which enables DNS message format check, including domain name length of no more than 255 characters, label length of 63 characters, compression, and looped pointer check.</P></LI></UL> Sat, 24 Apr 2021 23:57:46 GMT https://community.cisco.com/t5/network-security/cisco-asa-defaults-for-dns-inspection/m-p/4392647#M1080263 MohammadKayed 2021-04-24T23:57:46Z https://community.cisco.com/t5/network-security/cisco-asa-defaults-for-dns-inspection/m-p/4392651#M1080264 <P>is this HA or standalone, if this was there before adding the command not going to harm?</P> <P>&nbsp;</P> <P>before adding, do you see any issue with the DNS?</P> <P>&nbsp;</P> Sun, 25 Apr 2021 00:34:43 GMT https://community.cisco.com/t5/network-security/cisco-asa-defaults-for-dns-inspection/m-p/4392651#M1080264 balaji.bandi 2021-04-25T00:34:43Z https://community.cisco.com/t5/network-security/cisco-asa-defaults-for-dns-inspection/m-p/4392653#M1080265 <P>Its an HA active/standby.</P><P>I don't have Show tech nor Show run from the old version.</P><P>The purpose I am looking on it , My device memory is reaching 90+ ( on both units including the standby ) although the device is not oversubscribed ( ACL count , conn count all lower than the limit ) , I have a lot of traffic is being inspected by DNS when I run show service-policy It might be the reason but not sure as the CPU is normal ( below 20% )/</P><P>&nbsp;</P><P>I know it might be a bug or memory leak issue but I would like to understand better the DNS inspection.</P><P>&nbsp;</P><P>Is it necessarily to add&nbsp;preset_dns_map to the DNS inspection although I don't have any costume paraments ?</P> Sun, 25 Apr 2021 00:50:50 GMT https://community.cisco.com/t5/network-security/cisco-asa-defaults-for-dns-inspection/m-p/4392653#M1080265 MohammadKayed 2021-04-25T00:50:50Z https://community.cisco.com/t5/network-security/cisco-asa-defaults-for-dns-inspection/m-p/4392717#M1080269 <P>here is the release notes and some memory leak bugs are fixed. there is also DNS (CSCvg09778) - check this may be relavant.(but we need more information)</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/release/notes/asarn98.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/release/notes/asarn98.html</A></P> <P>&nbsp;</P> <PRE>My device memory is reaching 90+ ( on both units including the standby ) although the device is not oversubscribed ( ACL count , conn count all lower than the limit ) , I have a lot of traffic is being inspected by DNS when I run show service-policy It might be the reason but not sure as the CPU is normal ( below 20% )/</PRE> <P>&nbsp;</P> <P>This needs more information for us to confirm what process taking high on CPU.</P> <P>&nbsp;</P> <P><SPAN>#<STRONG>show processes cpu-usage sorted non-zero</STRONG> - identify the process taking up the most of the CPU</SPAN><BR /><SPAN>#<STRONG>show interface</STRONG> - check for input or output errors</SPAN><BR /><SPAN>#<STRONG>show traffic</STRONG> - check interfaces with unusually high traffic</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Sun, 25 Apr 2021 08:13:20 GMT https://community.cisco.com/t5/network-security/cisco-asa-defaults-for-dns-inspection/m-p/4392717#M1080269 balaji.bandi 2021-04-25T08:13:20Z https://community.cisco.com/t5/network-security/cisco-asa-defaults-for-dns-inspection/m-p/4392831#M1080272 <P>Thank you for the reply.</P><P>&nbsp;</P><P>I have checked the bug , It seems already fixed in 9.8.3</P><P>&nbsp;</P><P><SPAN>#</SPAN><STRONG>show processes cpu-usage sorted non-zero</STRONG><SPAN>&nbsp; &nbsp;-- &gt; DATAPATH ( Multiple processes each consume 1.0 - 2 % )&nbsp;</SPAN></P><P><SPAN>CPU usage currently is around 22%</SPAN></P><P>&nbsp;</P><P><SPAN>#<STRONG>show interface --- &gt;&nbsp;</STRONG></SPAN><SPAN>I don't see any overrun or underrun on a physical interface</SPAN></P><P><SPAN>I do see the below :</SPAN></P><P><SPAN>1) Internal Data0/0 -- &gt;</SPAN></P><P><SPAN>134721 overrun from 116432711000 input packet ( 1-4% very small value )</SPAN></P><P>No underrun</P><P>&nbsp;</P><P>2) Internal Data0/1</P><P>5e-4% overrun</P><P>no underrun</P><P>&nbsp;</P><P>3) Internal Data0/2</P><P>3e-5% overrun</P><P>no underrun</P><P>&nbsp;</P><P>3) Internal Data0/3</P><P>1.3e-4% overrun</P><P>2e-4% underrun</P><P>&nbsp;</P><P>4) internal data0/4 - 0/7 doesn't have any overrun or underrun</P><P>&nbsp;</P><P><SPAN>#</SPAN><STRONG>show traffic&nbsp; --&gt; As the issue with the memory&nbsp;does it worth to look at it ?</STRONG></P><P>All interfaces seems fine except the below :</P><P>&nbsp;</P><P>g0/4&nbsp; failover link ( which is should be ok as the replication from the active to standby ) - Data collected from active unit</P><P>--- &gt; received packets : 11476850</P><P>--- &gt; transmitted packets : 24740454127</P><P>&nbsp;</P><P>---------</P><P>&nbsp;</P><P>Extra info :</P><P>Active current memory :</P><P>85% --- &gt;65% global shared pool</P><P>CPU-- &gt; around 22%&nbsp;</P><P>&nbsp;</P><P>Standby unit : ( memory of the standby unit is higher )</P><P>90% --- &gt; global shared</P><P>4% cpu</P> Sun, 25 Apr 2021 14:49:06 GMT https://community.cisco.com/t5/network-security/cisco-asa-defaults-for-dns-inspection/m-p/4392831#M1080272 MohammadKayed 2021-04-25T14:49:06Z