topic Hi Vibhor,How can i check if in Network Security

Cisco ASA DNS Memory Exhaustion Vulnerability

mahesh18 — Tue, 12 Mar 2019 05:53:42 GMT

Hi Everyone,

As per Cisco our ASA has this vulnerability.

Workaround is

For the Cisco ASA DNS Memory Exhaustion Vulnerability, reducing the retries setting to 0 under the DNS server-group provides a workaround for this issue.
The following example shows how to set the retries setting to 0 for the default DNS server-group (DefaultDNS)

ciscoasa(config-dns-server-group)# DNS server-group DefaultDNS
ciscoasa(config-dns-server-group)# retries 0

Need to confirm if i config the command retries 0 will it cause any DNS outage for the users?

Regards

MAhesh

Hi,This value defines the

Vibhor Amrodia — Wed, 06 May 2015 15:14:31 GMT

Hi,

This value defines the number of times to retry the list of DNS servers when the ASA does not receive a response. Are you using the ASA DNS functionality ? It is mostly used in case of VPN or FQDN objects etc

This will not affect any issues for the users as they are not going to be querying the ASA for the DNS requests.

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor,How can i check if

mahesh18 — Wed, 06 May 2015 15:17:49 GMT

Hi Vibhor,

How can i check if i am using ASA for DNS functionality?

Regards

Mahesh

Hi,Check this for reference

Vibhor Amrodia — Wed, 06 May 2015 15:34:40 GMT

Hi,

Check this for reference and verify if you are using any of the features that are using the DNS servers. Also , if you change this setting , this will not affect any of these features as long as the DNS server is responding.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/basic_hostname_pw.html#pgfId-1080248

Thanks and Regards,

Vibhor Amrodia

Many thanks Vibhor

mahesh18 — Wed, 06 May 2015 16:15:56 GMT

Many thanks Vibhor.

Regards

Mahesh