topic Re: PIX 515 started blocking udp 53 in Network Security

PIX 515 started blocking udp 53

waifurchin — Fri, 21 Feb 2020 07:25:07 GMT

This really shouldn't be giving me this much trouble...

This morning I started seeing hundreds of the following log entry (destination port number differs, but the rest is the same):

Deny udp src outside:ns1_isp/53 dst inside:pix_ext/xxxxx by access-group "out"

ns1_isp is the dns server from our ISP. I assume that these are replies to dns requests. Why are they being blocked? Suddenly?

The access-list the log entry refers to is listed below, please help because I can't see anything that would cause this.

access-list out permit udp any host ns2_ext eq domain

access-list out permit udp any host ns1_ext eq domain

access-list out permit tcp any host ns1_ext eq smtp

access-list out permit tcp any host ns1_ext eq imap4

access-list out permit tcp any host ns1_ext eq www

access-group out in interface outside

ns1 & ns2 refer to an internal mail/dns server we are testing on the dmz.

Thanks in advance.

Re: PIX 515 started blocking udp 53

kagodfrey — Tue, 25 May 2004 21:29:32 GMT

Are they Windows 2003 servers by any chance? If so, it might be something to do with http://support.microsoft.com/default.aspx?scid=kb;en-us;828263&Product=winsvr2003

If it is you should be able to fix this by altering the maximum length of DNS query responses using the "fixup protocol dns maximum-length" command, or disable EDNS probes.

HTH

Kev

Re: PIX 515 started blocking udp 53

ehirsel — Wed, 26 May 2004 01:05:52 GMT

Can you post the static, nat, and global commands? The pix runs dns guard to prevent an answer from more than one dns server from coming back as a response to a request.

Did you notice the log entries as soon as you were testing the internal mail and dns on the DMZ?

Re: PIX 515 started blocking udp 53

waifurchin — Wed, 26 May 2004 01:30:59 GMT

No windows servers - good thought though.

I do have "fixup protocol dns maximum-length 512" specified though.

Re: PIX 515 started blocking udp 53

waifurchin — Wed, 26 May 2004 12:12:40 GMT

global (outside) 1 interface

nat (inside) 0 access-list dmz

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (dmz,outside) ns1_ext ns1_dmz netmask 255.255.255.255 0 0

static (dmz,outside) ns2_ext ns2_dmz netmask 255.255.255.255 0 0

access-group out in interface outside

route outside 0.0.0.0 0.0.0.0 router 1

Re: PIX 515 started blocking udp 53

shannong — Wed, 26 May 2004 13:53:44 GMT

The fixup for DNS blocks responses larger than 512 bytes. You either need to disable it or increase the length. A few DNS servers on the Internet, notably Yahoo, have too many servers in their responses and violate the RFC for max UDP DNS repsones.

Re: PIX 515 started blocking udp 53

ehirsel — Fri, 28 May 2004 14:23:46 GMT

Are you still seeing the messages? I am thinking that they could be the result of the isp dns server(s) acting/responding slowly causing the pix to close the udp session before the response is sent.

You mentioned that the isp has two dns servers - were both of them being listed in the log messages?

Re: PIX 515 started blocking udp 53

waifurchin — Fri, 28 May 2004 15:30:02 GMT

Everything seems to be back to normal.

Your suggestion may have in fact been the case. The issue started prior to my changing anything, and silently corrected itself as well which would seem to indicate the issue was not our equipment per say.