Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
429
Views
0
Helpful
1
Replies

ASA 8.4.3, does it check DNS source IP address??

aacole
Level 5
Level 5

‎10-30-2012 04:51 AM - edited ‎03-11-2019 05:16 PM

Does ASA 8.4.3 check the source IP address of  a DNS reply and drop it if the reply address is different to that in the query?

Customers DNS server does this due to a recent change, their server now has a virtual address, but replies are sent from its physcial address. This is temporary. Their PIX is happy with this.

Replace the PIX with the ASA, DNS fails, the only reason I can see is due to the way their internal DNS operates.

Labels:
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-30-2012 05:36 AM

To be honest there's two levels to thing about this.

1) A reply from somewhere else SHOULD be treated as separete connection on L3/L4 level. So it will be allowed if security policy allows it.

2) On L7 we verify if reply packet is corresponding to a known request (based on ID AFAIR)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card