Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1917
Views
0
Helpful
4
Replies

DNS Inspection Denial of Service Vulnerability

Go to solution
david.tran
Level 4
Level 4

‎10-31-2013 12:55 PM - edited ‎03-11-2019 07:58 PM

Advisory ID: cisco-sa-20131009-asa

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa

I have a Pix running version 8.0.4 with the following configuration:

inside interface:      192.168.231.254/255.255.255.0

outside interface:     10.100.2.254/255.255.255.0

no nat-control

access-list test permit ip any any log

access-group test in interface outside

access-group test in interface inside

I have a window 2008R2 residing on the Internal interface of the firewall.  The domain controller resides on the outside interface of the firewall.

I went ahead and implement the change recommended by Cisco

access-list DNS_INSPECT extended permit udp any any

class-map DNS_INSPECT_CP

   match access-list  DNS_INSPECT

policy-map global_policy

   class DNS_INSPECT_CP

     inspect dns preset_dns_map

However, after implement the workaround, my windows 2008R2 machine on the inside network can NOT join with AD on the outside network.

on the log of the firewall I see this:

Oct 31 14:34:09 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61780 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes

Oct 31 14:34:17 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61780 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes

I even change the DNS maximum length to 8192 but it still does not work. 

I remove the recommendation from the configuration, everything works fine after that.

Anyone knows why?

Thanks in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to david.tran

‎10-31-2013 03:48 PM

Hi,

Wasnt your configuration meant to check DNS traffic?

Your ACL catches all UDP traffic since there is no "eq 53" at the end. In the above logs the blocked traffic is destination port 389

So is the problem now the ACL used in the actual MPF configuration?

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎10-31-2013 02:43 PM

Hello,

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 1024

U do not have this command right available at the CLI right

message-length maximum client auto

Then clear-local host try one more time and provide the logs.

Note:

access-list test permit ip any any log

access-group test in interface outside

access-group test in interface inside

That ACL means u have no firewall in place

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
david.tran
Level 4
Level 4
In response to Julio Carvajal

‎10-31-2013 03:42 PM 

Julio Carvajal wrote:
U do not have this command right available at the CLI right
message-length maximum client auto

     I do

CiscoPix# sh run policy-map

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 1024

  message-length maximum client auto

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect sqlnet

  inspect dns preset_dns_map

class class_sunrpc_tcp

  inspect sunrpc

class DNS_INSPECT_CP

  inspect dns preset_dns_map

!

CiscoPix#

Julio Carvajal wrote:
 
Then clear-local host try one more time and provide the logs.
Note:
access-list test permit ip any any log
access-group test in interface outside
access-group test in interface inside
That ACL means u have no firewall in place

I am very aware of this.  At this point, it does not matter, it just want the firewall to function like a routing device.

It still does NOT work.  Here is the log:

Oct 31 17:57:25 192.168.231.254 %PIX-6-106100: access-list test permitted udp inside/192.168.231.180(61982) -> outside/10.100.2.128(53) hit-cnt 1 first hit [0x63a9cac7, 0x0]

Oct 31 17:57:25 192.168.231.254 %PIX-6-106100: access-list test permitted udp inside/192.168.231.180(61983) -> outside/10.100.2.128(389) hit-cnt 1 first hit [0x63a9cac7, 0x0]

Oct 31 17:57:25 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61983 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes

Oct 31 17:57:32 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61983 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes

Oct 31 17:57:33 192.168.231.254 %PIX-6-106100: access-list test permitted udp inside/192.168.231.180(50955) -> outside/10.100.2.128(53) hit-cnt 1 first hit [0x63a9cac7, 0x0]

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to david.tran

‎10-31-2013 03:48 PM

Hi,

Wasnt your configuration meant to check DNS traffic?

Your ACL catches all UDP traffic since there is no "eq 53" at the end. In the above logs the blocked traffic is destination port 389

So is the problem now the ACL used in the actual MPF configuration?

- Jouni

0 Helpful

Go to solution
david.tran
Level 4
Level 4
In response to Jouni Forss

‎10-31-2013 03:53 PM

I had one too many beers not to see this :-).  Thanks.  everything is working now.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card