03-01-2016 03:32 PM - edited 03-12-2019 12:25 AM
Hi,
I have an issue with a ASA 5510 Transparent firewall that appears to be causing issues with DNS. We have an number of sites attached to this, but there is only one site with the issue.
DNS queries are getting dropped with the following:
4 Mar 02 2016 12:28:08 410001 kumak1_103.131 2695 208.91.112.198 53 Dropped UDP DNS request from INSIDE:kumak1_103.131/2695 to OUTSIDE:208.91.112.198/53; label length 84 bytes exceeds protocol limit of 63 bytes
I have tried all sorts of things with the service policy to try and resolve but nothing makes any difference.
There is a default policy applied, which inspects DNS, but I dont have any other policy relating to the site or any other sites. Its really weird.
Any suggestions appreciated.
Brad
Solved! Go to Solution.
03-01-2016 05:31 PM
Hi Brad,
The
Even though this confirms that ASA drops it, this is expected and ASA is doing its job here of enforcing RFC checks on DNS.
If you refer RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION (Ref URL: https://tools.ietf.org/html/rfc1035), and within this RFC, if you
But the host kumak1_103.131 is sending 84 bytes label length, which is a violation of the RFC.
Reference Text:
2.3.4<https://tools.ietf.org/html/rfc1035#section-2.3.4>. Size limits
Various objects and parameters in the DNS have size limits. They are listed below. Some could be easily changed, others are more fundamental.
labels 63 octets or less <<<<<<<<<<<<<<<<<<<<The limit for label length is defined here
names 255 octets or less
TTL positive values of a signed
UDP messages 512 octets or less
If you want to ignore this violation and give an exception to this host, you can configure an
Here's the config snippet:
****************************
access-list
access-list inspectdns extended deny udp any eq 53 host kumak1_103.131
access-list inspectdns extended permit udp any any eq 53
access-list inspectdns extended permit udp any eq 53 any
class-map
match access-list
policy-map global_policy
class inspection_default
no inspect dns preset_dns_map
class dns-class
inspect dns preset_dns_map
******************************
Note: You will need to do this on this firewall and any other upstream ASA firewall in the path that has DNS inspection enabled (which is by default enabled).
Impact of above change:
********************
A. You will need to clear existing DNS connections for settings to take effect immediately, else this will apply to new connections.
B. DNS doctoring or rewrite of "A" record replies that go to this host (kumak1_103.131) will not happen.
Regards,
Aditya
Please rate helpful posts.
03-01-2016 05:31 PM
Hi Brad,
The
Even though this confirms that ASA drops it, this is expected and ASA is doing its job here of enforcing RFC checks on DNS.
If you refer RFC 1035 - DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION (Ref URL: https://tools.ietf.org/html/rfc1035), and within this RFC, if you
But the host kumak1_103.131 is sending 84 bytes label length, which is a violation of the RFC.
Reference Text:
2.3.4<https://tools.ietf.org/html/rfc1035#section-2.3.4>. Size limits
Various objects and parameters in the DNS have size limits. They are listed below. Some could be easily changed, others are more fundamental.
labels 63 octets or less <<<<<<<<<<<<<<<<<<<<The limit for label length is defined here
names 255 octets or less
TTL positive values of a signed
UDP messages 512 octets or less
If you want to ignore this violation and give an exception to this host, you can configure an
Here's the config snippet:
****************************
access-list
access-list inspectdns extended deny udp any eq 53 host kumak1_103.131
access-list inspectdns extended permit udp any any eq 53
access-list inspectdns extended permit udp any eq 53 any
class-map
match access-list
policy-map global_policy
class inspection_default
no inspect dns preset_dns_map
class dns-class
inspect dns preset_dns_map
******************************
Note: You will need to do this on this firewall and any other upstream ASA firewall in the path that has DNS inspection enabled (which is by default enabled).
Impact of above change:
********************
A. You will need to clear existing DNS connections for settings to take effect immediately, else this will apply to new connections.
B. DNS doctoring or rewrite of "A" record replies that go to this host (kumak1_103.131) will not happen.
Regards,
Aditya
Please rate helpful posts.
03-03-2016 02:29 PM
Yes, perfect. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide