https://community.cisco.com/t5/network-security/dns-response/m-p/993289#M918142 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I'm working on the same issue and what I get it that one DNS server has responded and the firewall DNS inspection engine realizes this so it doesn't respond to the DNS query. I don't think its a harmful log message but I'm looking into it further on my end.</P><P></P><P></P><P>Craig</P></BODY></HTML> Mon, 10 Nov 2008 18:09:34 GMT craig.eyre 2008-11-10T18:09:34Z https://community.cisco.com/t5/network-security/dns-response/m-p/993285#M918138 <P>Hello, </P><P></P><P>I am getting following critical log message: </P><P>DENY INBOUND UDP from X.Y.Z.1/53 to P.Q.R.2/1025 due to DNS response </P><P></P><P>No impact on client/server side though. But this is continuosly generating log.Related ACL are allowed for DNS response. </P><P> what is causing this message to log.Please advise. </P><P></P><P>regards</P><P>SAS</P><P></P><P></P> Mon, 11 Mar 2019 13:01:20 GMT https://community.cisco.com/t5/network-security/dns-response/m-p/993285#M918138 anwar.shariff 2019-03-11T13:01:20Z https://community.cisco.com/t5/network-security/dns-response/m-p/993286#M918139 <HTML><HEAD></HEAD><BODY><P>Can you please post the complete log line? Also including the Log number.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Thu, 19 Jun 2008 01:58:06 GMT https://community.cisco.com/t5/network-security/dns-response/m-p/993286#M918139 Farrukh Haroon 2008-06-19T01:58:06Z https://community.cisco.com/t5/network-security/dns-response/m-p/993287#M918140 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The number of message is 106007.</P><P></P><P>Explanation : This is a connection-related message. This message is displayed if a UDP packet containing a DNS query or response is denied. </P><P></P><P>Recommended Action : If the inside port number is 53, the inside host probably is set up as a caching name server. Add an access-list command statement to permit traffic on UDP port 53, and a translation entry for the inside host. If the outside port number is 53, a DNS server was probably too slow to respond, and the query was answered by another server. </P><P></P><P>Reference: <A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp1279764" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp1279764</A></P><P></P><P>I hope this helps.</P><P>Best regards.</P><P>Massimiliano. </P></BODY></HTML> Thu, 19 Jun 2008 03:05:35 GMT https://community.cisco.com/t5/network-security/dns-response/m-p/993287#M918140 massimiliano.serafino 2008-06-19T03:05:35Z https://community.cisco.com/t5/network-security/dns-response/m-p/993288#M918141 <HTML><HEAD></HEAD><BODY><P>thanks for the reply, In fact I had referred to this link and tried allowing required policies but same problem persists... any advices further. </P><P></P><P>regards</P><P>SAS</P></BODY></HTML> Thu, 19 Jun 2008 18:13:38 GMT https://community.cisco.com/t5/network-security/dns-response/m-p/993288#M918141 anwar.shariff 2008-06-19T18:13:38Z https://community.cisco.com/t5/network-security/dns-response/m-p/993289#M918142 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I'm working on the same issue and what I get it that one DNS server has responded and the firewall DNS inspection engine realizes this so it doesn't respond to the DNS query. I don't think its a harmful log message but I'm looking into it further on my end.</P><P></P><P></P><P>Craig</P></BODY></HTML> Mon, 10 Nov 2008 18:09:34 GMT https://community.cisco.com/t5/network-security/dns-response/m-p/993289#M918142 craig.eyre 2008-11-10T18:09:34Z https://community.cisco.com/t5/network-security/dns-response/m-p/993290#M918143 <HTML><HEAD></HEAD><BODY><P>Yes this message is normal if you have two servers configured for DHCP relay in the firewall. The first DNS response is allowed through but the second is blocked (and rightly so).</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Tue, 11 Nov 2008 06:33:01 GMT https://community.cisco.com/t5/network-security/dns-response/m-p/993290#M918143 Farrukh Haroon 2008-11-11T06:33:01Z