Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
728
Views
0
Helpful
5
Replies

dns question

Go to solution
techkamleshs
Level 1
Level 1

‎12-31-2010 04:23 AM - edited ‎03-11-2019 12:29 PM

hi

i was goin through dns doctorig example in the cisco site and was going through packet captures of same . as dns request is udp , is it true that its corresp. dns reply will also come back . As it is UDP packet which is not reliable like TCP , is reply a new session initiated from the destionation ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to techkamleshs

‎12-31-2010 05:25 AM

Yes, you are right. UDP is connectionless, and ASA will actually match the ID of the DNS request and reply and makes sure that it matches.

"inspect dns" is required to make sure that it is a legitemate DNS reply that matches the DNS request on the ASA connection table.

Here is more information on dns in specific on ASA for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1719130

However, for other UDP packet, you are absolutely right.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎12-31-2010 04:28 AM

Yes, the corresponding dns reply should return. It will return the corresponding NAT address according to the static NAT statement that is configured with DNS doctoring.

0 Helpful

Go to solution
techkamleshs
Level 1
Level 1
In response to Jennifer Halim

‎12-31-2010 04:45 AM

hi

dns doctorig example was just reference , my ques is more related to networking as dns request is udp i believe it will just deliver the packet to destn , but seeing this eg. as corresp. dns reply is also coming back .i wanted to understnad if reply is a new session initiated from the destination towards source (As it is UDP packet which is not reliable like TCP )

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to techkamleshs

‎12-31-2010 05:25 AM

Yes, you are right. UDP is connectionless, and ASA will actually match the ID of the DNS request and reply and makes sure that it matches.

"inspect dns" is required to make sure that it is a legitemate DNS reply that matches the DNS request on the ASA connection table.

Here is more information on dns in specific on ASA for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1719130

However, for other UDP packet, you are absolutely right.

0 Helpful

Go to solution
techkamleshs
Level 1
Level 1
In response to Jennifer Halim

‎12-31-2010 06:09 AM

thanks ! and matching the ID of the DNS request with reply is done by DNS guard. right ?

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to techkamleshs

‎12-31-2010 06:30 AM

Kamlesh,

dns guard - ensures one response per request.

You can read here: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/d2.html#wp1951632

-KS

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card