Default ASA DNS inspection

Dave Mumford · ‎09-22-2011

Hi ,

I have a question to you security guru's out there. By default ASA applies DNS packet inspection with a default (maximum) packet size of 512bytes as recommended by RFC 1035, anything above is dropped.

I have a customer that is trying to use larger packet sizes due to extension mechanisms for DNS defined in RFC2671.

My question is , is it safe to increase the default packet size in the DNS inspection thus applied globally for all DNS traffic, or should / can we apply a policy that applies only to this specific customer ?

Any help much appreciated.

Thanks,

Dave.

varrao · ‎09-22-2011

Hi Dave,

There are some sites for which the dns query packets exceeds the defaulet limit of 512 KB, if you increase the size to maybe 1024 or 2048 KB, that should not be an issue. And yes, you can either do it for all or for specific traffic only.

Thanks,

Varun

Thanks,
Varun Rao

Dave Mumford · ‎09-22-2011

Hi Varun,

Thanks for the quick response. Can you give me pointers on how to configure a policy that inspects just a certain customer to say 1024bytes and leave all others as 512bytes. For example what would the match criteria be ?

I have looked on CCO and am unsure of how to do this.

Regards,

Dave.

varrao · ‎09-22-2011

Here's an example for it:

http://www.cisco.com/en/US/customer/docs/security/asa/asa83/command/reference/i2.html#wp1759149

You can use an access-list to define your intersting traffic and use it to match in the class-map.

Thanks,

Varun

Thanks,
Varun Rao