Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
366
Views
0
Helpful
0
Replies

CSCvd26015 - NBAR DNS parser changes EDNS request packets

dig
Cisco Employee
Cisco Employee

‎10-15-2020 07:15 AM

Ran across this edge-case when trying to deploy BlueCat + Cisco Umbrella integration. This bug does modify the ARCOUNT, but more importantly, it modifies it without updating the UDP checksum. Packets are rejected as soon as they arrive at a DNS server because they fail checksum validation.

 

Affects requests with EDNS enabled, DNSSEC DO bit on, AD bit off. Does not affect queries with QTYPE of TXT, ANY, NS, and some others. Affects UDP, including ports other than 53, ignores TCP. Can be checked with 'dig' from a client, server will drop if affected:

 

dig +dnssec +noad @208.67.222.222 example.com.

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents