topic Re: DNS-INSPECTION DROPS PACKETS in Network Security

DNS-INSPECTION DROPS PACKETS

Leonardo Fernando Monzon Luis — Mon, 11 Mar 2019 19:03:43 GMT

Hi guys, I really appreciate somebody could help me.

I have an ASA 5520 Version 8.0(4) in my network with default inspection, suddenly many users where having RPC errors when they arrive to work and turn on their computers.

The users told us that they had changed their DNS configs, so we call the system guy in that site and told us that they have update their Active directory servers to a windows 2008 R2, so we troubleshoot a little and we found that when we remove dns_preset_dns_map, the error dissapear. Could
somebody have any idea about this???

class-map IPS
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
class IPS
ips inline fail-open
!
service-policy global_policy global

This is really a big problem because we have about 70 ASA with the same default inspection and there´s no problem.

If somebody could help, i would appreciate

Re: DNS-INSPECTION DROPS PACKETS

Maykol Rojas — Tue, 02 Nov 2010 19:09:44 GMT

Hello!!!!!!!

I think I know the issue, Can you ask your Server administrator if they are using secure DNS? This will make the packet larger than the one configure by default.

You can increase the packet lenght

ciscoasa(config)# policy-map type inspect dns preset_dns_map
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# message-length maximum

In version 8.2 or later you can put it as auto, but for this version you will have to set it manually.

Hope it helps.

Mike

Re: DNS-INSPECTION DROPS PACKETS

Leonardo Fernando Monzon Luis — Tue, 02 Nov 2010 19:29:01 GMT

thanks for the reply, i would ask for this information, but i really don´t have any idea why just in one ASA this problem appears and in the rest of them seems to be ok, anyway i don´t want to dissmiss anything of this update you are advising me.

I think this is the update you have in mind.

For enterprises operating Microsoft Server infrastructure, there are specific things needed in place before May 5^th.

Windows Server 2008 and Windows Server 2008 R2 will support the new DNSSEC implementation, but only if it is implemented. It is an optional choice during installation (see Microsoft’s “DNSSEC Deployment Guide,” published in October 2009).

There is only limited support for DNSSEC in Windows Server 2003 DNS. Under the new DNSSEC, Windows 2003 can act as a secondary DNS server for an existing DNSSEC compliant zone. Windows Server 2003 will cache the new, larger records but not perform cryptography, authentication, or verification. Only Windows Server 2008 implementations with DNSSEC implemented will provide full DNSSEC support. For more information refer to the following Microsoft items:

“Using DNS Security Extensions (DNSSEC)”
“DNSSEC overview”
“DNSSEC Deployment Guide”

There are other possible breakpoints for the DNSSEC response – namely firewalls. Older firewalls, and some newer ones, will drop UDP port 53 (DNS response) traffic larger than 512b by default. For example, Cisco PIX / ASA will not support DNSSEC through DNS inspection on versions before 8.2.2. Therefore, IT leaders will have to disable DNS inspection (not recommended) or if possible, migrate to ASA 8.2.2 or higher. SOHO routers may also be problematic if they proxy DNS.

Thanks

Re: DNS-INSPECTION DROPS PACKETS

Maykol Rojas — Tue, 02 Nov 2010 23:18:50 GMT

You got it!!!

Clients on inside networks with ASA version lower than 8.2.2 will have problems. ASA version 8.2.2 or higher have the DNS map as auto.

Hope this helps and let me know the results.

Thanks!

Mike

Re: DNS-INSPECTION DROPS PACKETS

Leonardo Fernando Monzon Luis — Wed, 10 Nov 2010 17:16:06 GMT

Hi, sorry for not answering this discussion earlier, we had upgraded to version 8.2(3) in our ASA, but the problem with the computers stills. We opened a TAC case and they are helping us.

I´ll update this discussion if we have some updates from cisco.

Re: DNS-INSPECTION DROPS PACKETS

Maykol Rojas — Wed, 10 Nov 2010 18:22:27 GMT

Hello Luis,

Can I have the service request number, Ill take a look at it with the engineer.

Cheers.

Mike

Re: DNS-INSPECTION DROPS PACKETS

Leonardo Fernando Monzon Luis — Wed, 10 Nov 2010 18:40:13 GMT

The service request number is 615913549, we are seeing this issue with 'Abraham Hernandez (abhernan)'. He is helping us with this proyect.

Thanks.

Re: DNS-INSPECTION DROPS PACKETS

Leonardo Fernando Monzon Luis — Wed, 01 Dec 2010 17:39:38 GMT

sorry for not replying earlier, Cisco TAC send us some commands to do some test with our computers.

enable

config terminal

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

no dns-guard

no id-mismatch

no id-randomization

no protocol-enforcement

end

So I will reply the results,

Thanks