04-16-2010 08:29 AM - edited 03-11-2019 10:33 AM
So by default all Cisco PIX / ASA configs have something along these lines...
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1 <-- DNS inspection
...
so after May 5th, when DNSSEC is enabled on all root servers, I'd expect many quereies to be over the 512 byte maximum. See http://www.theregister.co.uk/2010/04/13/dnssec/ if you are not familiar with this.
Does this mean I should change the 512 number to something else? suggestions on that? or should I just disable DNS inspection completely with: "no inspect dns"
05-05-2010 03:07 AM
Hey Troy,
pkampana is absolutely correct. You can keep the "message-length maximum 512" in, and just add the "message-length maximum client auto" line as per the bug.
02-14-2011 08:06 AM
Hello,
Could you inform me in which version of FWSM is available the command "message-length maximum client auto"?
Thank you
02-14-2011 02:57 PM
Unfortunately the "auto" option is not available in FWSM.
You can only configure absolute maximum length but not "auto".
Here is the command for your reference:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/command/reference/i2.html#wp1639206
Hope that answers your question.
02-15-2011 03:57 AM
Thank you Jennifer for your prompt answer, i will try to increase the maximum length to 1536 bytes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide