11-17-2020 04:38 AM
I have been working to 'take over' a turn key network that was built for our company. In the configuration update template, I added our corporate DNS servers, domain-name, and enabled DNS lookup. When testing the name lookups, it did not work right away due to the heavy use of zone based firewall. I added 'udp 53' where needed, but still no luck. Looking at the syslogs, I was surprised to see this:
003736: Nov 16 14:49:13.805 EST: %IOSXE-6-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:000 TS:00003098400806902881 %FW-6-DROP_PKT: Dropping tcp pkt from internal0/0/rp:0 10.38.134.102:55711 => 10.70.0.1:53(target:class)-(zp-self-WAN:class-default) due to Policy drop:classify result with ip ident 47559 tcp flag 0x2, seq 2937331081, ack 0
For the test dns lookup that I did, the router shows that a TCP/53 message was blocked by the ZBF. I know that zone transfers are typically done on this port, but this was a simple name resolution request, and I was expecting UDP/53. This has me stumped, and I appreciate any guidance that might be forthcoming!
11-17-2020 05:13 AM
Hello,
actually, DNS increasingly uses TCP port 53. The article below has a pretty good explanation:
https://www.infoblox.com/dns-security-resource-center/dns-security-faq/is-dns-tcp-or-udp-port-53/
11-17-2020 07:43 AM
Interesting article. Does make me wonder if host has enabled PMTUD, whether host will then try using a UDP packet that matches the host's local network connection's MTU.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide