i have an asa 5505 guarding a single web server. it is running dns. ports 80tcp and 53udp/tcp are opened.
the problem is that every once and a while my server sends out a large amount of DNS replies causing it to go over 10000 conn limit (replies to initial request from DNS servers).
i tried doing:
policy-map type inspect dns preset_dns_map
message-length maximum 768
id-mismatch count 10 duration 2 action log
this is blocking some of the replies that are over 768 bytes. i noticed some replies are up to 1200 bytes even.
any idea how i can solve this problem? my goal is to prevent the device from going over 10000 conns but not interfere with legitimate traffic...
thanks a ton!
You need to do cl xlate to resolve it.
Still you are getting issue then makesure you may be hitting the DNS idle time bug. If you are hitting this bug the upgrade it.
Do you mean for this dns server to be a public dns server? not sure what dns server you're using, but if it's windows there is no way to block who can use it as a caching dns server. BIND can though.
you may want to look at an alternative dns solution for internet users to resolve your public facing hosts (eg everydns.net), and then keep your internal dns server just for local users - that way you can close tcp/udp 53.