Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2023
Views
10
Helpful
2
Replies

Denials due to DNS response

Go to solution
wdoellefeld
Level 1
Level 1

‎06-15-2004 02:04 PM - edited ‎03-09-2019 07:45 AM

Hi,

I'm getting following spammed into my syslog all of a sudden from our PIX. The inbound port is always the same but the receiving port varys.

%PIX-2-106007: Deny inbound UDP from 204.117.214.10/53 to 63.xxx.xxx.xxx/21465 due to DNS Response.

My understanding is that the PIX has something called DNS guard (which I can't turn off) and it matches DNS responses to DNS requests and only allows the first DNS request back in. I assume that this is what is blocking it? How can I prevent continuous errors?

If anyone can shed some light for a new PIX user i would appreciate it. Thanks.

204.117.214.10 is our ISP (sprint) btw.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎06-15-2004 06:18 PM

The DNS Guard within the PIX does a couple of things, one is that when it sees the DNS request go out, and when it sees the DNS reponse come back in, it verifies that they match up together, and closes down that opening straight away. So basically you can only have one response per request come back through, any subsequent response will be denied and you'll see this error.

The usual cause of this error is that 204.117.214.10 took too long to respond, and the query was answered by another DNS server. When that response went through the PIX, the PIX closed down the session, and the later response from 204.117.214.10 was denied. Not usually anything to worry about.

In 6.3 code you can turn off the DNS Guard, although I wouldn't recommend this, cause it means DNS packets will be treated as standard UDP packets and time out after 2 minutes rather than straight after the DNS Response. If you do a lot of DNS queries then this will dramatically increase your xlate and conn count, so you'll want to keep an eye on it. The command to turn it off is:

no fixup protocol dns

View solution in original post

2 Replies 2

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎06-15-2004 06:18 PM

The DNS Guard within the PIX does a couple of things, one is that when it sees the DNS request go out, and when it sees the DNS reponse come back in, it verifies that they match up together, and closes down that opening straight away. So basically you can only have one response per request come back through, any subsequent response will be denied and you'll see this error.

The usual cause of this error is that 204.117.214.10 took too long to respond, and the query was answered by another DNS server. When that response went through the PIX, the PIX closed down the session, and the later response from 204.117.214.10 was denied. Not usually anything to worry about.

In 6.3 code you can turn off the DNS Guard, although I wouldn't recommend this, cause it means DNS packets will be treated as standard UDP packets and time out after 2 minutes rather than straight after the DNS Response. If you do a lot of DNS queries then this will dramatically increase your xlate and conn count, so you'll want to keep an eye on it. The command to turn it off is:

no fixup protocol dns

Go to solution
wdoellefeld
Level 1
Level 1
In response to gfullage

‎06-15-2004 08:23 PM

Thank you much Glenn! Answered all my questions. I will not be turning it off by the way.

0 Helpful
Customers Also Viewed These Support Documents