cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

3411
Views
5
Helpful
2
Replies
Highlighted
Contributor

106007: Deny inbound UDP due to DNS Query

I'm bringing up a connection to a remote data center.  The data center is separated by an ASA5585x running software 9.3(1). Can access the remote servers just fine, but they can't communicate with our DNS server.  When they query, I see this in the ASA's logs:

 

[2015-01-02 14:56:58 GMT-08:00] (CONTEXT) 106007: Deny inbound UDP from 1.2.3.4/38583 to 5.6.7.8/53 due to DNS Query

 

1.2.3.4 is the IP of the server and 5.6.7.8 is the DNS server.  The traffic is permitted in the ACL, but when I run packet tracer, it shows denied.  I don't think this is an issue with DNS inspection, since other servers can talk to DNS just fine.  Manual says this:

 

Explanation    This is a connection-related message. This message is displayed if a UDP packet containing a DNS query or response is denied.

Recommended Action    If the inside port number is 53, the inside host probably is set up as a caching name server. Add an access-list command statement to permit traffic on UDP port 53 and a translation entry for the inside host. If the outside port number is 53, a DNS server was probably too slow to respond, and the query was answered by another server.

I don't understand why I'd need a translation entry.  The client and server are both on two different internal interfaces and NAT is not applicable. 

2 REPLIES 2
Highlighted
Contributor

I found the mention of DNS was a complete red herring.  The issue was that the two inside interfaces had the same security level.  "same-security-traffic permit inter-interface" was the quick fix, or I could have changed security levels to be different. 

Highlighted

Thank you for this.
1.5 hours lost on debugging ACL and NAT.
Content for Community-Ad