Re: PIX 515 started blocking udp 53

waifurchin · ‎05-25-2004

This really shouldn't be giving me this much trouble...

This morning I started seeing hundreds of the following log entry (destination port number differs, but the rest is the same):

Deny udp src outside:ns1_isp/53 dst inside:pix_ext/xxxxx by access-group "out"

ns1_isp is the dns server from our ISP. I assume that these are replies to dns requests. Why are they being blocked? Suddenly?

The access-list the log entry refers to is listed below, please help because I can't see anything that would cause this.

access-list out permit udp any host ns2_ext eq domain

access-list out permit udp any host ns1_ext eq domain

access-list out permit tcp any host ns1_ext eq smtp

access-list out permit tcp any host ns1_ext eq imap4

access-list out permit tcp any host ns1_ext eq www

access-group out in interface outside

ns1 & ns2 refer to an internal mail/dns server we are testing on the dmz.

Thanks in advance.

kagodfrey · ‎05-25-2004

Are they Windows 2003 servers by any chance? If so, it might be something to do with http://support.microsoft.com/default.aspx?scid=kb;en-us;828263&Product=winsvr2003

If it is you should be able to fix this by altering the maximum length of DNS query responses using the "fixup protocol dns maximum-length" command, or disable EDNS probes.

HTH

Kev

waifurchin · ‎05-25-2004

No windows servers - good thought though.

I do have "fixup protocol dns maximum-length 512" specified though.

shannong · ‎05-26-2004

The fixup for DNS blocks responses larger than 512 bytes. You either need to disable it or increase the length. A few DNS servers on the Internet, notably Yahoo, have too many servers in their responses and violate the RFC for max UDP DNS repsones.

ehirsel · ‎05-25-2004

Can you post the static, nat, and global commands? The pix runs dns guard to prevent an answer from more than one dns server from coming back as a response to a request.

Did you notice the log entries as soon as you were testing the internal mail and dns on the DMZ?

waifurchin · ‎05-26-2004

global (outside) 1 interface

nat (inside) 0 access-list dmz

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (dmz,outside) ns1_ext ns1_dmz netmask 255.255.255.255 0 0

static (dmz,outside) ns2_ext ns2_dmz netmask 255.255.255.255 0 0

access-group out in interface outside

route outside 0.0.0.0 0.0.0.0 router 1

ehirsel · ‎05-28-2004

Are you still seeing the messages? I am thinking that they could be the result of the isp dns server(s) acting/responding slowly causing the pix to close the udp session before the response is sent.

You mentioned that the isp has two dns servers - were both of them being listed in the log messages?

waifurchin · ‎05-28-2004

Everything seems to be back to normal.

Your suggestion may have in fact been the case. The issue started prior to my changing anything, and silently corrected itself as well which would seem to indicate the issue was not our equipment per say.