Blocking inbound ICMP type 3 to DNS server

AHEC IT · ‎06-23-2011

Hi folks,

using ASA5520, I work for a Higher Ed campus. We have a public / guest wireless network for students to have access to internet only. I am currenlty blocking all ICMP from that network to my private network and receiving alot of deny hits for ICMP type3 (destination unreachable) inbound to my DNS server.

I'm not aware of any end user issues at this time, but i'm wondering what the impact may be of blocked this and any reasons to go ahead and open ICMP type 3 to my DNS server.

thanks in advance for your expertise.

Greg

Maykol Rojas · ‎06-23-2011

Hi,

When you have a DNS server, normally, it queries to itself to see if he has the name for an specific site that someone is requesting. If he does not have it, then he will eventually querie to an authoritative server on the internet to get the name resolution of the requested site.

If by any chance, your authoritative server is not responding on the internet or it is not reachable, your internal server will try to find more servers in order to get an answer.

For every server that is not reachable on the internet, the Routers there, will send you an ICMP message saying, hey I could not get to that guy, so you can stop trying that server and begin asking others.

This is normal behavior on an IP based Network, and there is nothing to be worrie about, just check the ICMP messages to check who was the host that was not reachable and check if it is a valid DNS server.

Hope this helps.

Mike

AHEC IT · ‎06-23-2011

Thank you