Hi,

" The ASA keeps a connection table for UDP connections to dynamically allow connections initiated from the inside to get a reply from the outside without getting blocked by the ASA. This is the nature of a stateful firewall. - if you disable, you need to have explicit ACL rules available for the DNS queries "

you mean if a client 10.0.2.10 is trying to access 8.8.8.8  then we need an acl if we disable dns inspection 

the reason I am trying to disable 

 I  have a dns filter  policy in fg firewall ,  it sends the  dns query to fortigate sdns server to get the category  of the dns requested .

topology

I captured the traffic on asa using asdm ,

Traffic capture settings

Interface OUTSIDE

Outside source  45.75.200.89 (fortigate sdns ip)

Destination :0 0 0 0

the fortigate interface ip is 172.16.10.1 

nat configured for fortigate internet access  

nat (Inside,Outside) after-auto source dynamic 172.16.10.0 1.1.2.8

captured egress inside  traffic  attached 

dns reply giving some error 

does it mean the issue from asa ?,

is it the rightway of capturing or do we need to do anything ?

 Thanks 

Hi,

    I've never had a reason to an of my customer to disable DNS inspection. Usually DNS inspection is removed because of a bug, or because it drops DNS requests and we don't know how to investigate and change the layer7 default settings for DNS inspection. Perform packet captures on the ingress and egress points of the ASA for DNS traffic (comparing the DNS live traffic with the default DNS inspection settings, could give the best hint on what parameters to change in order to fix it).

   If you remove DNS inspection, DNS is UDP, DNS does not create secondary channels, so DNS will still work, the ASA will just treat the connection as UDP. This is, however, not recommended.

Regards,

Cristian Matei.

Hi @Cristian Matei 

Thanks for the reply . 

What you mean by secondary channel . I have attached a packet capture  in my previous post ,  the dns query type is  TXT record  and the query response is giving server failure error . So i  was doubting asa doing something 

How to check asa drops certain traffic ?

Thanks 

you mean if a client 10.0.2.10 is trying to access 8.8.8.8  then we need an acl if we disable dns inspection 

Yes you need ACL for the DNS to get Queried to 8.8.8.8 - if you have implicity deny rules in place , until you doing NAT here.

Looked at your capture not give enough iunformation instead server falure, not sure what query you doing there.

best thing try nslookup and see you able to get queries from DNS Server, after disabling the DNS inspection.

Hi @balaji.bandi 

"Yes you need ACL for the DNS to get Queried to 8.8.8.8 - if you have implicity deny rules in place , until you doing NAT here."

I am sorry I did not get this part , it would be great if you give an example 

Thanks

what i was trying to explain was :

from your PC , when you do nslookup are you able to get query back for the DNS Resoltuin for cisco.com or google.com ?

if yes, then there is NAT or ACL rules in place to get your DNS Query from inside to outside.

if that fails, FW by default denies,  so my suggestion you required to allow a ACL rules for the DNS queries to send to outside.

we are not sure, how is your network, i have seen in that post you also have Fortigate ? also ASA  FW ?

Hi,

if yes, then there is NAT or ACL rules in place to get your DNS Query from inside to outside

yes I have dynamic nat there in place 

When you  nat or  acl query  , how does it that possible without NAT  if the DNS server is reachable only via   public IP (8.8.8.8)

the fortigate interface ip is 172.16.10.1
nat configured for fortigate internet access
nat (Inside,Outside) after-auto source dynamic 172.16.10.0 1.1.2.8

fortigate is in router mode so it sends all traffic to internet to asa 

Thanks