Hi,
I have a network protected by a pair of ASA 5520, running 8.04.
I do pretty much default dns inspection:
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
...
inspect dns preset_dns_map
The problem I have is the following: the ASA is silently dropping some malformed packets which is causing some dns queries to fail,because instead of falling back to TCP, they just timeout.
For instance:
with dns inspection turned on:
[blaise@fr-th-ax01 ~]# dig elysee.blog.lemonde.fr +trace
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 <<>> elysee.blog.lemonde.fr +trace
;; global options: printcmd
. 3600 IN NS i.root-servers.net.
. 3600 IN NS h.root-servers.net.
. 3600 IN NS g.root-servers.net.
. 3600 IN NS f.root-servers.net.
. 3600 IN NS e.root-servers.net.
. 3600 IN NS d.root-servers.net.
. 3600 IN NS c.root-servers.net.
. 3600 IN NS b.root-servers.net.
. 3600 IN NS a.root-servers.net.
. 3600 IN NS m.root-servers.net.
. 3600 IN NS l.root-servers.net.
. 3600 IN NS k.root-servers.net.
. 3600 IN NS j.root-servers.net.
;; Received 497 bytes from 172.16.1.20#53(172.16.1.20) in 1 ms
fr. 172800 IN NS d.nic.fr.
fr. 172800 IN NS e.ext.nic.fr.
fr. 172800 IN NS c.nic.fr.
fr. 172800 IN NS g.ext.nic.fr.
fr. 172800 IN NS d.ext.nic.fr.
fr. 172800 IN NS f.ext.nic.fr.
;; Received 408 bytes from 192.36.148.17#53(i.root-servers.net) in 9 ms
lemonde.fr. 172800 IN NS indom30.indomco.fr.
lemonde.fr. 172800 IN NS indom10.indomco.com.
lemonde.fr. 172800 IN NS indom80.indomco.hk.
lemonde.fr. 172800 IN NS indom130.indomco.org.
lemonde.fr. 172800 IN NS indom20.indomco.net.
;; Received 218 bytes from 194.0.9.1#53(d.nic.fr) in 2 ms
;; connection timed out; no servers could be reached
without dns inspect:
[blaise@fr-th-ax01 ~]# dig elysee.blog.lemonde.fr +trace
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 <<>> elysee.blog.lemonde.fr +trace
;; global options: printcmd
. 3600 IN NS l.root-servers.net.
. 3600 IN NS k.root-servers.net.
. 3600 IN NS j.root-servers.net.
. 3600 IN NS i.root-servers.net.
. 3600 IN NS h.root-servers.net.
. 3600 IN NS g.root-servers.net.
. 3600 IN NS f.root-servers.net.
. 3600 IN NS e.root-servers.net.
. 3600 IN NS d.root-servers.net.
. 3600 IN NS c.root-servers.net.
. 3600 IN NS b.root-servers.net.
. 3600 IN NS a.root-servers.net.
. 3600 IN NS m.root-servers.net.
;; Received 501 bytes from 172.16.1.20#53(172.16.1.20) in 1 ms
fr. 172800 IN NS c.nic.fr.
fr. 172800 IN NS d.ext.nic.fr.
fr. 172800 IN NS d.nic.fr.
fr. 172800 IN NS e.ext.nic.fr.
fr. 172800 IN NS f.ext.nic.fr.
fr. 172800 IN NS g.ext.nic.fr.
;; Received 408 bytes from 199.7.83.42#53(l.root-servers.net) in 4 ms
lemonde.fr. 172800 IN NS indom10.indomco.com.
lemonde.fr. 172800 IN NS indom20.indomco.net.
lemonde.fr. 172800 IN NS indom30.indomco.fr.
lemonde.fr. 172800 IN NS indom80.indomco.hk.
lemonde.fr. 172800 IN NS indom130.indomco.org.
;; Received 218 bytes from 192.134.0.129#53(c.nic.fr) in 1 ms
;; Warning: Message parser reports malformed message packet.
;; Truncated, retrying in TCP mode.
elysee.blog.lemonde.fr. 10800 IN CNAME blog.lemonde.fr.2-01-271d-000c.cdx.cedexis.net.
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
;; Received 516 bytes from 217.174.200.97#53(indom10.indomco.com) in 5 ms
So is there a solution wher the ASA would send _something_ back as an answer instead of just silently dropping the packet, or am I stuck with either disabling dns inspection (maybe just for this domain) or trying to call lemonde.fr network admin to ask him/her to fix their dns server, which is not going to happen.
Thanks
Blaise
