Solved: ASA UDP Dns reply dropped

Kooopobol · ‎10-26-2011

Hello,

According to the ASA logs, a lot of dns packets (from root dns servers) are dropped because they exceed the limit of 512 bytes (size limit fixed in dns inspection).

It seems corresponding to DNSSEC packet.

Which value should I use for the DNS packet size limit ?

Some say 1024, others 4096...

Thanks

Julio Carvajal · ‎10-27-2011

Hello Armand,

It would be more secure to work with the 1024, you can give it a try to that one and check if you keep getting DNS packets denied.

Here is one of the fix released from Cisco regarding the DNSSEC packet size:

policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto

If EDNS is used, the above command will allow DNS replies up to the length specified in the OPT record.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Kooopobol · ‎10-27-2011

Any idea ?

Thanks

Julio Carvajal · ‎10-27-2011

Hello Armand,

It would be more secure to work with the 1024, you can give it a try to that one and check if you keep getting DNS packets denied.

Here is one of the fix released from Cisco regarding the DNSSEC packet size:

policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto

If EDNS is used, the above command will allow DNS replies up to the length specified in the OPT record.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Kooopobol · ‎02-24-2012

I tried this :

policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto

But nothing has changed... I still have dropped UDP DNS replies..

Any idea ?