topic inspect-dns-invalid-pak question. in Network Security

inspect-dns-invalid-pak question.

raga.fusionet — Mon, 11 Mar 2019 21:31:50 GMT

Hi All,

One of our ASAs seems to be dropping DNS traffic. The users behind it complain that DNS seems to be blocked by the firewall.

The inspect config is the following:

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 2096

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

When checking packet tracer I see the following:

PAN# packet-tracer input inside udp 172.16.1.90 1028 8.8.8.8 53

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns _default_dns_map

service-policy global_policy global

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any outside any

dynamic translation to pool 1 (200.46.224.34 [Interface PAT])

translate_hits = 6809189, untranslate_hits = 990525

Additional Information:

Dynamic translate 172.16.1.90/1028 to 200.46.224.34/4051 using netmask 255.255.255.255

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 2800, untranslate_hits = 0

Additional Information:

Phase: 7

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 13772158, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (inspect-dns-invalid-pak) DNS Inspect invalid packet

The logs are showing this:

PAN# sh log | inc 172.16.1.90

%ASA-6-302015: Built outbound UDP connection 13772299 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:172.16.1.90/55114 (200.46.224.34/4050)

%ASA-6-302016: Teardown UDP connection 13772299 for outside:8.8.8.8/53 to inside:172.16.1.90/55114 duration 0:00:00 bytes 406

%ASA-6-302015: Built outbound UDP connection 13772302 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:172.16.1.90/55114 (200.46.224.34/4050)

%ASA-6-302016: Teardown UDP connection 13772302 for outside:8.8.8.8/53 to inside:172.16.1.90/55114 duration 0:00:00 bytes 199

Why is the Action Drop on the packet tracer? Shouldnt that be an allow?

Thanks.

Raga

Re: inspect-dns-invalid-pak question.

raga.fusionet — Wed, 28 Sep 2011 22:38:38 GMT

Weird ...

I noticed that it worked for non DNS UDP Ports, ie. any other port number other than 53. So I disabled the inspection for DNS and it seems to be working now:

PAN# packet-tracer input inside udp 172.16.1.90 1028 8.8.8.8 53

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any outside any

dynamic translation to pool 1 (200.46.224.34 [Interface PAT])

translate_hits = 6810141, untranslate_hits = 990562

Additional Information:

Dynamic translate 172.16.1.90/1028 to 200.46.224.34/4058 using netmask 255.255.255.255

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 2800, untranslate_hits = 0

Additional Information:

Phase: 6

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 13774236, packet dispatched to next module

Phase: 9

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 200.x.x.33 using egress ifc outside

adjacency Active

next-hop mac address 000b.bf34.b35b hits 414

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

inspect-dns-invalid-pak question.

raga.fusionet — Wed, 28 Sep 2011 22:39:33 GMT

Any comments or suggestions on why the inspect failed would be appreciated

have a good one.