Solved: Re: DNS response traffic getting dropped

Colin Higgins · ‎11-28-2012

We have a FWSM running 3.2 IOS in a cat 6509

Clients and server conducting queries against MS 2003 AD servers running DNS are having problems, and in the syslog I see messages like

Deny inbound UDP from 172.25.59.106/53 to 172.25.55.11/56465 due to DNS Response

UDP 53 is allowed from the subnets into the subnets/vlans where the DNS servers reside, and

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

has been enabled (the vlans have the same security level).

I have also attempted to turn off DNS inspection in the global policy (no inspect dns)

Nevertheless, these errors persist. Anyone have any ideas?

ju_mobile · ‎11-28-2012

Please add
inspect dns maximum-length 1024

To your configuration. If you read the DNS RFC as with TFTP the packets should not exceed 512 bytes.
As such the FWSM/ASA has a default DNS size of 512 bytes

Best Regards

Ju

Sent from Cisco Technical Support iPad App

View solution in original post

ju_mobile · ‎11-29-2012

David,

The RFC states and Cisco obliges that DNS responses should be less than 512Bytes. The Firewall will drop any DNS response over 512bytes, unles sthe size is increased. The changes to DNS for DNSSEC means that the 512byte limit is often exceeded.

http://www.cisco.com/web/about/security/intelligence/dnssec.html

Obviously, turning inspect off would negate the need for this command. Based on me missing that part of his post altogether. In which case its probably worth disabling DNS-GUARD..

Regards

Ju

View solution in original post

ju_mobile · ‎11-28-2012

Please add
inspect dns maximum-length 1024

To your configuration. If you read the DNS RFC as with TFTP the packets should not exceed 512 bytes.
As such the FWSM/ASA has a default DNS size of 512 bytes

Best Regards

Ju

Sent from Cisco Technical Support iPad App

david.tran · ‎11-29-2012

why are you telling him in increase the dns length to 1024? When he turns OFF dns inpsect (aka no fixup protol 53 dns), should that turns off inspecting DNS altogether?

ju_mobile · ‎11-29-2012

David,

The RFC states and Cisco obliges that DNS responses should be less than 512Bytes. The Firewall will drop any DNS response over 512bytes, unles sthe size is increased. The changes to DNS for DNSSEC means that the 512byte limit is often exceeded.

http://www.cisco.com/web/about/security/intelligence/dnssec.html

Obviously, turning inspect off would negate the need for this command. Based on me missing that part of his post altogether. In which case its probably worth disabling DNS-GUARD..

Regards

Ju

david.tran · ‎11-29-2012

I don't work with ASA on daily basis (checkpoint is what I am doing these days); however, I thought can disable dns-guard if you have inspect DNS enable.

My understand of this is that once you turn OFF inspect DNS, dns-guard is also disabled as well because dns-guard is a subset of inspect DNS

ju_mobile · ‎11-29-2012

David,

As i'm sure your aware, I believe there are some variations between the ASA/PIX/FWSM. As i understand it teh question raised was in reference to teh FWSM 3.2 which has its own features or whatever semantics you wish to use.

http://www.cisco.com/web/about/security/intelligence/dns-bcp.html

search for DNS-GUARD

Best Regards

Ju (stuff is what I do these days)

Julio Carvajal · ‎11-28-2012

Hello Colin,

What are the DNS servers being used by your local area network clients?

How many are there?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Colin Higgins · ‎11-29-2012

jcarvaja:

we have two DNS servers in the environment, both on the same subnet, which is a firewalled VLAN on the FWSM.

I am seeing these DNS errors on reply traffic from those servers to other VLANs/subnets on the same FWSM

It appears as though this "dns guard" feature cannot be turned off yes?

Julio Carvajal · ‎11-29-2012

Hello Colin,

Exactly,

This is because of the DNS guard feature.. One of your local DNS servers is replying later than the other DNS so as the ASA already received a DNS reply from one DNS server the other one will be dropped.

So this message can be safely ignored

Let me know if you do understand what I mean

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ju_mobile · ‎11-29-2012

DNS-Guard can be disabled. On the ASDM go to device management, advanced, DNS and from in that location untick the DnS-guard box

Best Regards

Ju

Sent from Cisco Technical Support iPhone App

david.tran · ‎11-29-2012

that's goes back to my original thought. Once you disable inspecting DNS "no fixup protocol 53 dns", shouldn't that turn OFF dns-guard as well?

ju_mobile · ‎11-29-2012

Yes,

But not on a FWSM running a 3.2 code.

Regards

Ju

Sent from Cisco Technical Support iPhone App