Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
534
Views
0
Helpful
3
Replies

DNS Requests killing PIX 525

johanlr
Level 1
Level 1

‎02-02-2006 05:06 AM - edited ‎02-21-2020 12:41 AM

HI

When +/- 800 PCs do a DNS lookup for a domain that does not exist to 8 regional DNS servers which in turn query 2 main DNS servers, the amount of connections for 1 of the DNS servers on the PIX arein excess of 75000 connections, killing the CPU of the PIX running ver 6.3(4).

Is there any way of stopping or limiting the amount of connections the PIX will open for the 2 main DNS servers?

0 Helpful
3 Replies 3

sachinraja
Level 9
Level 9

‎02-02-2006 07:47 AM

hello johan

you have a parameter called max_conns on the static nat statement. you can set this and the pix will block any tcp or udp connections once that number is reached.... you can probably create seperate statics for each dns server and give this limit... just note that any valid dns request after this number will also get dropped. so make sure you define the correct number...

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801cd841.html#wp1026694

have a look at this URL for more info...

One thing - are all the 75000 entries valid ones ? probably some kinda attack is there on your network. just check on that.

Raj

0 Helpful

johanlr
Level 1
Level 1
In response to sachinraja

‎02-02-2006 01:48 PM

RAJ

There is a nat in place with a max connection limit of 3000 and embryonic connection limit of 1000, this did not stop the amount of connection the DNS queries made on the firewall.

Does the max_conns limit UDP?? see the output from a help nat on a PIX firewall and it states TCP only which differs from the command reference guide.

Regards

0 Helpful

thamdani
Cisco Employee
Cisco Employee
In response to johanlr

‎02-03-2006 12:52 AM

Hi ,

Check the timeout value configured for UDP connections ,PIX should clear the idle DNS [UDP] connections on its own ,however if you have so many UDP connections then you may be hitting a BUG which was for DNS connections not cleared by pix .it was in 6.2.x ,.

check the "show conn detail" and check whats the idle time for these connections ,if its more than 2 min [which is default timeout value for UDP ] then you are definitely hitting the bug.

Regards,

Tanveer

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card