cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
340
Views
0
Helpful
2
Replies

DNS replies causing over 10000 conns

c0ldshadow
Level 1
Level 1

i have an asa 5505 guarding a single web server. it is running dns. ports 80tcp and 53udp/tcp are opened.

the problem is that every once and a while my server sends out a large amount of DNS replies causing it to go over 10000 conn limit (replies to initial request from DNS servers).

i tried doing:

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 768

id-randomization

id-mismatch count 10 duration 2 action log

this is blocking some of the replies that are over 768 bytes. i noticed some replies are up to 1200 bytes even.

any idea how i can solve this problem? my goal is to prevent the device from going over 10000 conns but not interfere with legitimate traffic...

thanks a ton!

-c0ld

2 Replies 2

mchin345
Level 6
Level 6

You need to do cl xlate to resolve it.

Still you are getting issue then makesure you may be hitting the DNS idle time bug. If you are hitting this bug the upgrade it.

Do you mean for this dns server to be a public dns server? not sure what dns server you're using, but if it's windows there is no way to block who can use it as a caching dns server. BIND can though.

you may want to look at an alternative dns solution for internet users to resolve your public facing hosts (eg everydns.net), and then keep your internal dns server just for local users - that way you can close tcp/udp 53.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: