Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1609
Views
5
Helpful
4
Replies

Cisco asa defaults for DNS inspection

MohammadKayed
Level 1
Level 1

‎04-24-2021 04:57 PM

Hello,

 

I have a question regarding DNS inspection on the ASA.

 

Would it make a difference running the DNS inspection without preset_dns_map ?

 

I migrated my ASA newly from 9.4 to 9.8.4.34 and in the configurations I can see the below :

 

policy-map global_policy
 class inspection_default
  inspect dns

I don't see the below in my configuration at all.

policy-map type inspect dns preset_dns_map

 I don't have any special Parameters in use.

 

So the question Do I need to copy the configuration from another ASA , to have the below parameters , or Its enabled by default with the DNS inspection and the purpose of preset_dns_map is to have customize it if needed ?

 

  • The maximum DNS message length is 512 bytes.

  • DNS over TCP inspection is disabled.

  • The maximum client DNS message length is automatically set to match the Resource Record.

  • DNS Guard is enabled, so the ASA tears down the DNS session associated with a DNS query as soon as the DNS reply is forwarded by the ASA. The ASA also monitors the message exchange to ensure that the ID of the DNS reply matches the ID of the DNS query.

  • Translation of the DNS record based on the NAT configuration is enabled.

  • Protocol enforcement is enabled, which enables DNS message format check, including domain name length of no more than 255 characters, label length of 63 characters, compression, and looped pointer check.

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎04-24-2021 05:34 PM

is this HA or standalone, if this was there before adding the command not going to harm?

 

before adding, do you see any issue with the DNS?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

MohammadKayed
Level 1
Level 1
In response to balaji.bandi

‎04-24-2021 05:50 PM

Its an HA active/standby.

I don't have Show tech nor Show run from the old version.

The purpose I am looking on it , My device memory is reaching 90+ ( on both units including the standby ) although the device is not oversubscribed ( ACL count , conn count all lower than the limit ) , I have a lot of traffic is being inspected by DNS when I run show service-policy It might be the reason but not sure as the CPU is normal ( below 20% )/

 

I know it might be a bug or memory leak issue but I would like to understand better the DNS inspection.

 

Is it necessarily to add preset_dns_map to the DNS inspection although I don't have any costume paraments ?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to MohammadKayed

‎04-25-2021 01:13 AM

here is the release notes and some memory leak bugs are fixed. there is also DNS (CSCvg09778) - check this may be relavant.(but we need more information)

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/release/notes/asarn98.html

 

My device memory is reaching 90+ ( on both units including the standby ) although the device is not oversubscribed ( ACL count , conn count all lower than the limit ) , I have a lot of traffic is being inspected by DNS when I run show service-policy It might be the reason but not sure as the CPU is normal ( below 20% )/

 

This needs more information for us to confirm what process taking high on CPU.

 

#show processes cpu-usage sorted non-zero - identify the process taking up the most of the CPU
#show interface - check for input or output errors
#show traffic - check interfaces with unusually high traffic

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

MohammadKayed
Level 1
Level 1
In response to balaji.bandi

‎04-25-2021 07:48 AM - edited ‎04-25-2021 07:49 AM

Thank you for the reply.

 

I have checked the bug , It seems already fixed in 9.8.3

 

#show processes cpu-usage sorted non-zero   -- > DATAPATH ( Multiple processes each consume 1.0 - 2 % ) 

CPU usage currently is around 22%

 

#show interface --- > I don't see any overrun or underrun on a physical interface

I do see the below :

1) Internal Data0/0 -- >

134721 overrun from 116432711000 input packet ( 1-4% very small value )

No underrun

 

2) Internal Data0/1

5e-4% overrun

no underrun

 

3) Internal Data0/2

3e-5% overrun

no underrun

 

3) Internal Data0/3

1.3e-4% overrun

2e-4% underrun

 

4) internal data0/4 - 0/7 doesn't have any overrun or underrun

 

#show traffic  --> As the issue with the memory does it worth to look at it ?

All interfaces seems fine except the below :

 

g0/4  failover link ( which is should be ok as the replication from the active to standby ) - Data collected from active unit

--- > received packets : 11476850

--- > transmitted packets : 24740454127

 

---------

 

Extra info :

Active current memory :

85% --- >65% global shared pool

CPU-- > around 22% 

 

Standby unit : ( memory of the standby unit is higher )

90% --- > global shared

4% cpu

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card