https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2113994#M394982 <HTML><HEAD></HEAD><BODY><P>why are&nbsp; you telling him in increase the dns length to 1024?&nbsp; When he turns OFF dns inpsect (aka no fixup protol 53 dns), should that turns off inspecting DNS altogether?</P></BODY></HTML> Thu, 29 Nov 2012 12:51:14 GMT david.tran 2012-11-29T12:51:14Z https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2113991#M394979 <P>We have a FWSM running 3.2 IOS in a cat 6509</P><P></P><P>Clients and server conducting queries against MS 2003 AD servers running DNS are having problems, and in the syslog I see messages like</P><P></P><P>Deny inbound UDP from 172.25.59.106/53 to 172.25.55.11/56465 due to DNS Response</P><P></P><P>UDP 53 is allowed from the subnets into the subnets/vlans where the DNS servers reside, and</P><P></P><P>same-security-traffic permit inter-interface</P><P>same-security-traffic permit intra-interface</P><P></P><P>has been enabled (the vlans have the same security level).</P><P></P><P>I have also attempted to turn off DNS inspection in the global policy (no inspect dns)</P><P></P><P>Nevertheless, these errors persist. Anyone have any ideas?</P> Tue, 12 Mar 2019 00:29:42 GMT https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2113991#M394979 Colin Higgins 2019-03-12T00:29:42Z https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2113992#M394980 <HTML><HEAD></HEAD><BODY><P>Please add<BR />inspect dns maximum-length 1024<BR /><BR />To your configuration. If you read the DNS RFC as with TFTP the packets should not exceed 512 bytes.<BR />As such the FWSM/ASA has a default DNS size of 512 bytes<BR /><BR />Best Regards<BR /><BR />Ju<BR /><BR /><BR />Sent from Cisco Technical Support iPad App</P></BODY></HTML> Wed, 28 Nov 2012 21:56:34 GMT https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2113992#M394980 ju_mobile 2012-11-28T21:56:34Z https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2113993#M394981 <HTML><HEAD></HEAD><BODY><P>Hello Colin,</P><P></P><P>What are the DNS servers being used by your local area network clients?</P><P>How many are there?</P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Thu, 29 Nov 2012 01:31:20 GMT https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2113993#M394981 Julio Carvajal 2012-11-29T01:31:20Z https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2113994#M394982 <HTML><HEAD></HEAD><BODY><P>why are&nbsp; you telling him in increase the dns length to 1024?&nbsp; When he turns OFF dns inpsect (aka no fixup protol 53 dns), should that turns off inspecting DNS altogether?</P></BODY></HTML> Thu, 29 Nov 2012 12:51:14 GMT https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2113994#M394982 david.tran 2012-11-29T12:51:14Z https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2113995#M394983 <HTML><HEAD></HEAD><BODY><P> David,</P><P></P><P>The RFC states and Cisco obliges that DNS responses should be less than 512Bytes. The Firewall will drop any DNS response over 512bytes, unles sthe size is increased. The changes to DNS for DNSSEC means that the 512byte limit is often exceeded.</P><P></P><P><A href="http://www.cisco.com/web/about/security/intelligence/dnssec.html">http://www.cisco.com/web/about/security/intelligence/dnssec.html</A></P><P></P><P>Obviously, turning inspect off would negate the need for this command. Based on me missing that part of his post altogether. In which case its probably worth disabling DNS-GUARD..</P><P></P><P>Regards</P><P></P><P>Ju</P></BODY></HTML> Thu, 29 Nov 2012 13:05:36 GMT https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2113995#M394983 ju_mobile 2012-11-29T13:05:36Z https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2113996#M394984 <HTML><HEAD></HEAD><BODY><P>I don't work with ASA on daily basis (checkpoint is what I am doing these days);&nbsp; however, I thought can disable dns-guard if you have inspect DNS enable.&nbsp; </P><P></P><P>My understand of this is that once you turn OFF inspect DNS, dns-guard is also disabled as well because dns-guard is a subset of inspect DNS</P></BODY></HTML> Thu, 29 Nov 2012 13:13:50 GMT https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2113996#M394984 david.tran 2012-11-29T13:13:50Z https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2113997#M394985 <HTML><HEAD></HEAD><BODY><P> David,</P><P></P><P>As i'm sure your aware, I believe there are some variations between the ASA/PIX/FWSM. As i understand it teh question raised was in reference to teh FWSM 3.2 which has its own features or whatever semantics you wish to use.</P><P></P><P><A href="http://www.cisco.com/web/about/security/intelligence/dns-bcp.html">http://www.cisco.com/web/about/security/intelligence/dns-bcp.html</A></P><P></P><P>search for DNS-GUARD</P><P></P><P>Best Regards</P><P></P><P>Ju (stuff is what I do these days)</P></BODY></HTML> Thu, 29 Nov 2012 13:24:38 GMT https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2113997#M394985 ju_mobile 2012-11-29T13:24:38Z https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2113998#M394986 <HTML><HEAD></HEAD><BODY><P>jcarvaja:</P><P></P><P>we have two DNS servers in the environment, both on the same subnet, which is a firewalled VLAN on the FWSM.</P><P></P><P>I am seeing these DNS errors on reply traffic from those servers to other VLANs/subnets on the same FWSM</P><P></P><P>It appears as though this "dns guard" feature cannot be turned off yes?</P></BODY></HTML> Thu, 29 Nov 2012 14:11:13 GMT https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2113998#M394986 Colin Higgins 2012-11-29T14:11:13Z https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2113999#M394987 <HTML><HEAD></HEAD><BODY><P>DNS-Guard can be disabled. On the ASDM go to device management, advanced, DNS and from in that location untick the DnS-guard box<BR /><BR />Best Regards<BR /><BR />Ju<BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Thu, 29 Nov 2012 14:20:17 GMT https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2113999#M394987 ju_mobile 2012-11-29T14:20:17Z https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2114000#M394988 <HTML><HEAD></HEAD><BODY><P>that's goes back to my original thought.&nbsp; Once you disable inspecting DNS "no fixup protocol 53 dns", shouldn't that turn OFF dns-guard as well?</P></BODY></HTML> Thu, 29 Nov 2012 15:09:53 GMT https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2114000#M394988 david.tran 2012-11-29T15:09:53Z https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2114001#M394990 <HTML><HEAD></HEAD><BODY><P>Yes,<BR /><BR />But not on a FWSM running a 3.2 code.<BR /><BR />Regards<BR /><BR />Ju<BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Thu, 29 Nov 2012 16:20:31 GMT https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2114001#M394990 ju_mobile 2012-11-29T16:20:31Z https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2114002#M394993 <HTML><HEAD></HEAD><BODY><P>Hello Colin,</P><P></P><P>Exactly, </P><P></P><P>This is because of the DNS guard feature.. One of your local DNS servers is replying later than the other DNS so as the ASA already received a DNS reply from one DNS server the other one will be dropped. </P><P></P><P>So this message can be safely ignored <SPAN __jive_emoticon_name="grin" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/grin.gif"></SPAN></P><P></P><P>Let me know if you do understand what I mean </P><P></P><P>Julio</P></BODY></HTML> Thu, 29 Nov 2012 16:49:15 GMT https://community.cisco.com/t5/network-security/dns-response-traffic-getting-dropped/m-p/2114002#M394993 Julio Carvajal 2012-11-29T16:49:15Z