Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
590
Views
0
Helpful
4
Replies

Cisco ASA DNS Memory Exhaustion Vulnerability

Go to solution
mahesh18
Level 6
Level 6

‎05-06-2015 07:59 AM - edited ‎03-11-2019 10:53 PM

 

Hi Everyone,

 

 As  per Cisco our ASA has this vulnerability.

Workaround is

For the Cisco ASA DNS Memory Exhaustion Vulnerability, reducing the retries setting to 0 under the DNS server-group provides a workaround for this issue.
The following example shows how to set the retries setting to 0 for the default DNS server-group (DefaultDNS)
 

ciscoasa(config-dns-server-group)# DNS server-group DefaultDNS
ciscoasa(config-dns-server-group)# retries 0

Need to confirm if i config the command retries 0 will it cause any DNS outage for the users?

 

Regards

MAhesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎05-06-2015 08:14 AM

Hi,

This value defines the number of times to retry the list of DNS servers when the ASA does not receive a response. Are you using the ASA DNS functionality ? It is mostly used in case of VPN or FQDN objects etc

This will not affect any issues for the users as they are not going to be querying the ASA for the DNS requests.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

0 Helpful

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to mahesh18

‎05-06-2015 08:34 AM

Hi,

Check this for reference and verify if you are using any of the features that are using the DNS servers. Also , if you change this setting , this will not affect any of these features as long as the DNS server is responding.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/basic_hostname_pw.html#pgfId-1080248

Thanks and Regards,

Vibhor Amrodia

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎05-06-2015 08:14 AM

Hi,

This value defines the number of times to retry the list of DNS servers when the ASA does not receive a response. Are you using the ASA DNS functionality ? It is mostly used in case of VPN or FQDN objects etc

This will not affect any issues for the users as they are not going to be querying the ASA for the DNS requests.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Vibhor Amrodia

‎05-06-2015 08:17 AM

 

Hi Vibhor,

How can i check if i am using ASA for DNS functionality?

Regards

Mahesh

0 Helpful

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to mahesh18

‎05-06-2015 08:34 AM

Hi,

Check this for reference and verify if you are using any of the features that are using the DNS servers. Also , if you change this setting , this will not affect any of these features as long as the DNS server is responding.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/basic_hostname_pw.html#pgfId-1080248

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Vibhor Amrodia

‎05-06-2015 09:15 AM

 

Many thanks Vibhor.

Regards

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card