09-22-2011 08:24 AM - edited 03-11-2019 02:28 PM
Hi ,
I have a question to you security guru's out there. By default ASA applies DNS packet inspection with a default (maximum) packet size of 512bytes as recommended by RFC 1035, anything above is dropped.
I have a customer that is trying to use larger packet sizes due to extension mechanisms for DNS defined in RFC2671.
My question is , is it safe to increase the default packet size in the DNS inspection thus applied globally for all DNS traffic, or should / can we apply a policy that applies only to this specific customer ?
Any help much appreciated.
Thanks,
Dave.
09-22-2011 08:33 AM
Hi Dave,
There are some sites for which the dns query packets exceeds the defaulet limit of 512 KB, if you increase the size to maybe 1024 or 2048 KB, that should not be an issue. And yes, you can either do it for all or for specific traffic only.
Thanks,
Varun
09-22-2011 08:41 AM
Hi Varun,
Thanks for the quick response. Can you give me pointers on how to configure a policy that inspects just a certain customer to say 1024bytes and leave all others as 512bytes. For example what would the match criteria be ?
I have looked on CCO and am unsure of how to do this.
Regards,
Dave.
09-22-2011 08:56 AM
Here's an example for it:
http://www.cisco.com/en/US/customer/docs/security/asa/asa83/command/reference/i2.html#wp1759149
You can use an access-list to define your intersting traffic and use it to match in the class-map.
Thanks,
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide