Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1057
Views
0
Helpful
1
Replies

Does Cisco FirePower FTD or FMC support EDNS extension?

Lamin
Level 1
Level 1

‎03-15-2022 09:38 AM

Hi all,

 

What:

I have a policy in firewall for a domain controller that needs to communicate with another domain controller.

The source is sending a high DNS over UDP payload (> 512 bytes). The DNS reply to fragmented as the payload is larger than the MTU,  the client receives part of the DNS response with the More Fragments flag bit set to "1" but never receives the next fragment.

The DC servers (source and destination servers) support the EDNS0 (RFC 6891) extension. 

 

My question here is - does Cisco FTD/FMC support this extension?

If the above is true, I have the following question if you could kindly assist with:

How do you find out default MTU size allowed for DNS traffic flow?

How can this be changed and/or what are the possible security implications?

Is this configured on FTD or somewhere within FMC?

 

Thank you in advance.

0 Helpful
1 Reply 1

Octavian Szolga
Level 4
Level 4

‎03-16-2022 06:38 AM - edited ‎03-16-2022 06:39 AM

Hi,

I don't think it supports EDNS even though I'm not 100% sure, but I belive that because Cisco Umbrella also uses EDNS and best practice says that you should disable that traffic from ASA and or Firepower inspection.

 

Cisco Umbrella and ASA FirePOWER processing are not compatible for a given connection. If you want to use both services, you must exclude UDP/53 and UDP/443 from ASA FirePOWER processing. For more details, see Cisco ASA documentation.

The Umbrella connector is apart of the ASA's DNS inspection engine. If your existing DNS inspection policy map decides to block or drop a request based on your DNS inspection settings, the request is not forwarded to Umbrella.

This allows for two lines of protection: your local DNS inspection policy and your Umbrella cloud-based DNS inspection policy.

When redirecting DNS queries to Umbrella, the Umbrella connector includes an EDNS (Extension mechanisms for DNS) record. An EDNS record contains the device ID, organization ID, and client IP address. This information is used by your Umbrella policy to determine whether to block or allow traffic.

https://support.umbrella.com/hc/en-us/articles/230562207-Cisco-ASA-Firewall-blocks-DNSCrypt

 

By default, on FTD you have the following DNS inspection parameters:

 

policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection

 

BR,

Octavian

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card