https://community.cisco.com/t5/network-security/dns-question/m-p/1598792#M595635 <HTML><HEAD></HEAD><BODY><P>Yes, the corresponding dns reply should return. It will return the corresponding NAT address according to the static NAT statement that is configured with DNS doctoring.</P></BODY></HTML> Fri, 31 Dec 2010 12:28:32 GMT Jennifer Halim 2010-12-31T12:28:32Z https://community.cisco.com/t5/network-security/dns-question/m-p/1598791#M595633 <P>hi</P><P></P><P>i was goin through dns doctorig example in the cisco site and was going through packet captures of same . as dns request is udp , is it true that its corresp. dns reply will also come back . As it is UDP packet which is not reliable like TCP , is reply a new session initiated from the destionation ?</P> Mon, 11 Mar 2019 19:29:15 GMT https://community.cisco.com/t5/network-security/dns-question/m-p/1598791#M595633 techkamleshs 2019-03-11T19:29:15Z https://community.cisco.com/t5/network-security/dns-question/m-p/1598792#M595635 <HTML><HEAD></HEAD><BODY><P>Yes, the corresponding dns reply should return. It will return the corresponding NAT address according to the static NAT statement that is configured with DNS doctoring.</P></BODY></HTML> Fri, 31 Dec 2010 12:28:32 GMT https://community.cisco.com/t5/network-security/dns-question/m-p/1598792#M595635 Jennifer Halim 2010-12-31T12:28:32Z https://community.cisco.com/t5/network-security/dns-question/m-p/1598793#M595637 <HTML><HEAD></HEAD><BODY><P>hi</P><P></P><P>dns doctorig example was just reference , my ques is more related to networking as dns request is udp i believe it will just deliver the packet to destn , but seeing this eg. as corresp. dns reply is also coming back .i wanted to understnad if reply is a new session initiated from the destination towards source (As it is UDP packet which is not reliable like TCP )</P></BODY></HTML> Fri, 31 Dec 2010 12:45:15 GMT https://community.cisco.com/t5/network-security/dns-question/m-p/1598793#M595637 techkamleshs 2010-12-31T12:45:15Z https://community.cisco.com/t5/network-security/dns-question/m-p/1598794#M595639 <HTML><HEAD></HEAD><BODY><P>Yes, you are right. UDP is connectionless, and ASA will actually match the ID of the DNS request and reply and makes sure that it matches.</P><P></P><P>"inspect dns" is required to make sure that it is a legitemate DNS reply that matches the DNS request on the ASA connection table.</P><P></P><P>Here is more information on dns in specific on ASA for your reference:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1719130">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1719130</A></P><P></P><P>However, for other UDP packet, you are absolutely right.</P></BODY></HTML> Fri, 31 Dec 2010 13:25:06 GMT https://community.cisco.com/t5/network-security/dns-question/m-p/1598794#M595639 Jennifer Halim 2010-12-31T13:25:06Z https://community.cisco.com/t5/network-security/dns-question/m-p/1598795#M595640 <HTML><HEAD></HEAD><BODY><P>thanks ! and matching the ID of the DNS request with reply is done by DNS guard. right ?</P></BODY></HTML> Fri, 31 Dec 2010 14:09:11 GMT https://community.cisco.com/t5/network-security/dns-question/m-p/1598795#M595640 techkamleshs 2010-12-31T14:09:11Z https://community.cisco.com/t5/network-security/dns-question/m-p/1598796#M595641 <HTML><HEAD></HEAD><BODY><P>Kamlesh,</P><P>dns guard - ensures one response per request.</P><P></P><P><SPAN>You can read here: </SPAN><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/d2.html#wp1951632">http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/d2.html#wp1951632</A></P><P></P><P>-KS</P></BODY></HTML> Fri, 31 Dec 2010 14:30:46 GMT https://community.cisco.com/t5/network-security/dns-question/m-p/1598796#M595641 Kureli Sankar 2010-12-31T14:30:46Z