Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2719
Views
0
Helpful
3
Replies

ASA issue, DNS error messages getting logged

carl_townshend
Spotlight
Spotlight

‎07-22-2013 08:50 AM - edited ‎03-11-2019 07:15 PM

Hi all

I seem to have an issue with something on my ASA

Im getting logs showing the following

4Jul 22 201316:48:32410001x.x.x.x1026x.x.x.x53Dropped UDP DNS request from Test-link:x.x.x.x/1026 to Outside:x.x.x.x/53; label length 84 bytes exceeds protocol limit of 63 bytes

                  

Any ideas what this is and how I can solve it, I have checked my DNS inspection and the global limit it 1500 at the moment so dont know where to look

cheers

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎07-22-2013 09:21 AM

Hello,

Basically the DNS request contains a host name of which the label is longer than 63 characters. A "label"  is any component between dots in a host name.

In the case of the ASA, the DNS enforcement reads the domain name one label at a time. According to RFC 1034, a label is zero to 63 octets in length.

So the ASA behavior is the expected one,

You cannot tune the DNS inspection to increase the label size, so if you are 100 % sure this is valid traffic you could (NOT recommended) disable the DNS protocol-enforcement which will basically ignore what the RFC says (Again not recommended)

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

carl_townshend
Spotlight
Spotlight
In response to Julio Carvajal

‎07-22-2013 02:07 PM

How do I resolve this issue ?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to carl_townshend

‎07-22-2013 02:49 PM

Hello Carl,

Well that depends:

-Do you want to get rid of those logs?

-Do you want to maintain the network as secure as possible?

Those are the questions you need to ask and the answers will be:

-Disable the protocol enforcement for the DNS protocol

-Keep the configuration the way it is and investigate the DNS query being created by the user on TestLink interface, make sure is a valid one and is not an attack

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card