Solved: ASA5510 Dropping DNS Due to Label Length

Brad Nightingale · ‎03-01-2016

Hi,

I have an issue with a ASA 5510 Transparent firewall that appears to be causing issues with DNS. We have an number of sites attached to this, but there is only one site with the issue.

DNS queries are getting dropped with the following:

4 Mar 02 2016 12:28:08 410001 kumak1_103.131 2695 208.91.112.198 53 Dropped UDP DNS request from INSIDE:kumak1_103.131/2695 to OUTSIDE:208.91.112.198/53; label length 84 bytes exceeds protocol limit of 63 bytes

I have tried all sorts of things with the service policy to try and resolve but nothing makes any difference.

There is a default policy applied, which inspects DNS, but I dont have any other policy relating to the site or any other sites. Its really weird.

Any suggestions appreciated.

Brad

Aditya Ganjoo · ‎03-01-2016

Hi Brad,

The syslog message that you are seeing ("%ASA--4-410001: Dropped UDP DNS request�...label length 84 bytes exceeds protocol limit of 63 bytes) is caused by the DNS inspection engine on the ASA by virtue of its protocol enforcement check.
Even though this confirms that ASA drops it, this is expected and ASA is doing its job here of enforcing RFC checks on DNS.

If you refer RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION (Ref URL: https://tools.ietf.org/html/rfc1035), and within this RFC, if you refer section 2.3.4, it clearly specifies that the field label length should not exceed 63 bytes.
But the host kumak1_103.131 is sending 84 bytes label length, which is a violation of the RFC.

Reference Text:

2.3.4<https://tools.ietf.org/html/rfc1035#section-2.3.4>. Size limits

Various objects and parameters in the DNS have size limits. They are listed below. Some could be easily changed, others are more fundamental.

labels 63 octets or less <<<<<<<<<<<<<<<<<<<<The limit for label length is defined here

names 255 octets or less

TTL positive values of a signed 32 bit number.

UDP messages 512 octets or less

If you want to ignore this violation and give an exception to this host, you can configure an acl and give an exception to this host.

Here's the config snippet:

****************************

access-list inspectdns extended deny udp host kumak1_103.131 any eq 53

access-list inspectdns extended deny udp any eq 53 host kumak1_103.131

access-list inspectdns extended permit udp any any eq 53

access-list inspectdns extended permit udp any eq 53 any

class-map dns-class

match access-list inspectdns

policy-map global_policy

class inspection_default

no inspect dns preset_dns_map

class dns-class

inspect dns preset_dns_map

******************************

Note: You will need to do this on this firewall and any other upstream ASA firewall in the path that has DNS inspection enabled (which is by default enabled).

Impact of above change:

********************

A. You will need to clear existing DNS connections for settings to take effect immediately, else this will apply to new connections.

B. DNS doctoring or rewrite of "A" record replies that go to this host (kumak1_103.131) will not happen.

Regards,

Aditya

Please rate helpful posts.

View solution in original post

Aditya Ganjoo · ‎03-01-2016