Sorry, I am in a different

elite2010 · ‎12-26-2016

Hi,

I have dns server (windows only ) which forward the request to an open resolver ,suddenly it does not resolve the dns requestes . So the client (resolver) get timed out message when try to resolve

Here is the dns related information on the asa firewall

policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512

show asp drop frame

DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 5101
DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 5101
DNS Inspect id not matched (inspect-dns-id-not-matched) 6902
DNS Inspect id not matched (inspect-dns-id-not-matched) 6902

Thanks

Ajay Saini · ‎12-26-2016

To fix the issue, we need to understand why these asp drop codes are seen. Below link talks about the same:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/show_asp_drop/show_asp_drop.html

Now, first thing we need here is to understand is if these asp drop packets are legit packets and still dropped by the firewall. Packet-captures taken on the firewall will help us in identifying this fact.

If you are 100% sure that these packets are genuine and need to be allowed, then we would need to modify the inspect dns type policy map and allow these parameters keeping in mind that this will create a security hole through the appliance.

For modifying the policy-map, below link will be useful:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/mpf_inspect_maps.html

HTH

-

AJ

elite2010 · ‎12-26-2016

Hi,

Actually I am trying to troubleshoot an issue as I discussed in my earlier post .

Suddenly our dns server cannot resolve the query which is sent by the hosts in the local network.

and the problem getting resolved after few minutes . And it recurs after sometime .

dns server forward the request to google open resolver (8.8.8.8) and to local isp's dns also .

So i was thinking it is something related with asa.

" If you are 100% sure that these packets are genuine and need to be allowed, then we would need to modify the inspect dns type policy map and allow these parameters keeping in mind that this will create a security hole through the appliance. "

could you tell me what exactly do i need to modify

Thanks.

Ajay Saini · ‎12-26-2016

Can you please attach the output of show service-policy inspect dns

HTH

-

AJ

elite2010 · ‎12-26-2016

Hi,

show service-policy inspect dns

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns _default_dns_map, packet 86774077, lock fail 0, drop 12328, reset-drop 0, v6-fail-close 0
dns-guard, count 40828688
protocol-enforcement, drop 5107
nat-rewrite, count 0

Thanks

Ajay Saini · ‎12-27-2016

There are too many drops under 'protocol-enforcement. Lets start by disabling this feature. Please send me output of 'show run policy-map' , I will send you the commands.

Please keep in mind that by removing these features, we are making the firewall prone to attacks. I am assuming that you know for sure that traffic dropped is legit traffic.

I am only suggesting this for your case. Not a solution, but a workaround.

HTH

-

AJ

elite2010 · ‎12-27-2016

Hi,

here is the output

policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns
inspect icmp
inspect http
class netflow-export-class
flow-export event-type flow-create destination 192.168.100.100
flow-export event-type flow-denied destination 192.168.100.100
flow-export event-type flow-update destination 192.168.100.100
class class-default
user-statistics accounting

Thanks
!

Ajay Saini · ‎12-27-2016

Sorry, I am in a different timezone and hence the delay.

Try below commands:

policy-map type inspect dns preset_dns_map
parameters

no protocol-enforcement

Let me know if it works. If it still fails, we might have to consider removing the dns policy altogether. Something like:

policy-map global_policy
class inspection_default

no inspect dns

HTH

-

AJ

muhsi_2015 · ‎12-28-2016

Hi,

If we do the below dns traffic will not go outside like ping drops if we did not add the command inspect icmp

Please correct me if I am wrong

policy-map global_policy

class inspection_default

no inspect dns

Thanks

Ajay Saini · ‎12-28-2016

By removing inspect dns, dns will still work but as normal udp traffic.

The reason why icmp stops working after removing inspect icmp is that icmp is stateless and return traffic is dropped on ASA.

HTH

-

AJ

elite2010 · ‎12-28-2016

Hi,

It seems that the issue was from isp side .Before applying commands in your previous post , It would be great if you clarify few doubts .

1.How can I verify why and what asa dropped

DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 5101
DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 5101
DNS Inspect id not matched (inspect-dns-id-not-matched) 6902
DNS Inspect id not matched (inspect-dns-id-not-matched) 6902

2)

And what will happen if I do the below

policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512

policy-map global_policy
...
inspect dns preset_dns_map

....

(Removed other inspect )

And you were really helpful

Thanks

Ajay Saini · ‎12-28-2016

1.

To identify the exact packet that was dropped under the asp drop can be seen by applying the asp drop capture:

something like:

capture <name> type asp-drop <type>

On your case,

capture test type asp-drop inspect-dns-invalid-domain-label

or

capture test type asp-drop inspect-dns-id-not-matched

your second question is not clear. Please rephrase.

-

AJ

dns inspect