02-27-2014 05:12 AM - edited 03-11-2019 08:50 PM
We picked up a strange problem on the FWSM . DNS Queries sent to UDP 53 for the DNS services hosted on a Linux server failed to work .
DNS INSPECT on the Firewalls had to be turned off & DNS tests were fired again to get this working . Is this a know problem or do we have a workaround instead of disabling the INSPECT feature .
03-03-2014 08:21 AM
Hi;
It should not be a problem. Common issues would be the size of the DNS packets, Normally the ASA only supports 512, if it exceeds that (due to the use of secure DNS) it will start dropping them.
Turn on the logs and do a couple of tests if possible.
Mike
Sent from Cisco Technical Support Android App
03-03-2014 09:32 AM
normally 512bytes for a DNS query is more than requested, then off limits of this size, may be considered an attack, like DNS Cache poisoning or something related.
Check what is doing your default policy on DNS Inspection before disabling that.
and please paste some logs regarding what is show for DNS Inspection on those.
Had a great day and rate if this works for you.
03-03-2014 11:01 AM
With the introduction of DNSsecurity large DNS requests would require authentication. This was first introduced in version 8.2 of the ASA firewall when we changed from the fixed size of 512 Bytes to Auto.
The FWSM was left behind because it was either way going to be replaced by the ASA-SM.
I remember this issue when the Windows Server 2008 came out.
I would rather check exactly why the packet is being dropped with the logs rather than doing any suggestions.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide