Solved: DNS Inspection Denial of Service Vulnerability

david.tran · ‎10-31-2013

Advisory ID: cisco-sa-20131009-asa

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa

I have a Pix running version 8.0.4 with the following configuration:

inside interface: 192.168.231.254/255.255.255.0

outside interface: 10.100.2.254/255.255.255.0

no nat-control

access-list test permit ip any any log

access-group test in interface outside

access-group test in interface inside

I have a window 2008R2 residing on the Internal interface of the firewall. The domain controller resides on the outside interface of the firewall.

I went ahead and implement the change recommended by Cisco

access-list DNS_INSPECT extended permit udp any any

class-map DNS_INSPECT_CP

match access-list DNS_INSPECT

policy-map global_policy

class DNS_INSPECT_CP

inspect dns preset_dns_map

However, after implement the workaround, my windows 2008R2 machine on the inside network can NOT join with AD on the outside network.

on the log of the firewall I see this:

Oct 31 14:34:09 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61780 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes

Oct 31 14:34:17 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61780 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes

I even change the DNS maximum length to 8192 but it still does not work.

I remove the recommendation from the configuration, everything works fine after that.

Anyone knows why?

Thanks in advance

Jouni Forss · ‎10-31-2013

Hi,

Wasnt your configuration meant to check DNS traffic?

Your ACL catches all UDP traffic since there is no "eq 53" at the end. In the above logs the blocked traffic is destination port 389

So is the problem now the ACL used in the actual MPF configuration?

- Jouni

View solution in original post

Julio Carvajal · ‎10-31-2013

Hello,

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 1024

U do not have this command right available at the CLI right

message-length maximum client auto

Then clear-local host try one more time and provide the logs.

Note:

access-list test permit ip any any log

access-group test in interface outside

access-group test in interface inside

That ACL means u have no firewall in place

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

david.tran · ‎10-31-2013

Julio Carvajal wrote:

U do not have this command right available at the CLI right

message-length maximum client auto

I do

CiscoPix# sh run policy-map

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 1024

message-length maximum client auto

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect sqlnet

inspect dns preset_dns_map

class class_sunrpc_tcp

inspect sunrpc

class DNS_INSPECT_CP

inspect dns preset_dns_map

!

CiscoPix#

Julio Carvajal wrote:

Then clear-local host try one more time and provide the logs.

Note:

access-list test permit ip any any log

access-group test in interface outside

access-group test in interface inside

That ACL means u have no firewall in place

I am very aware of this. At this point, it does not matter, it just want the firewall to function like a routing device.

It still does NOT work. Here is the log:

Oct 31 17:57:25 192.168.231.254 %PIX-6-106100: access-list test permitted udp inside/192.168.231.180(61982) -> outside/10.100.2.128(53) hit-cnt 1 first hit [0x63a9cac7, 0x0]

Oct 31 17:57:25 192.168.231.254 %PIX-6-106100: access-list test permitted udp inside/192.168.231.180(61983) -> outside/10.100.2.128(389) hit-cnt 1 first hit [0x63a9cac7, 0x0]

Oct 31 17:57:25 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61983 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes

Oct 31 17:57:32 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61983 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes

Oct 31 17:57:33 192.168.231.254 %PIX-6-106100: access-list test permitted udp inside/192.168.231.180(50955) -> outside/10.100.2.128(53) hit-cnt 1 first hit [0x63a9cac7, 0x0]

Jouni Forss · ‎10-31-2013

Hi,

Wasnt your configuration meant to check DNS traffic?

Your ACL catches all UDP traffic since there is no "eq 53" at the end. In the above logs the blocked traffic is destination port 389

So is the problem now the ACL used in the actual MPF configuration?

- Jouni

david.tran · ‎10-31-2013

I had one too many beers not to see this :-). Thanks. everything is working now.