Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1373
Views
6
Helpful
5
Replies

EDNS packets (> 512B) being dropped by FTD inspection

Micccc4
Level 1
Level 1

‎11-16-2023 06:39 AM - edited ‎11-16-2023 06:40 AM

Hi Everyone,

Customer is enabling EDNS which uses > 512B packets. 

This is then dropped by the inspection policy pasted at the bottom.

What would be the best way to bypass this inspection? 

1. disabling 'inspect dns' via flexconfig - that is something I'd rather avoid since the FW is supporting also other type of DNS flows which we want to inspect

2. is there a way to edit that max size of packet?

3. I tried including that specific traffic in Prefilter policy but that did not bypass this inspection

Any thoughts? Thanks in advance

 

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  **message-length maximum 512**

  no tcp-inspection

policy-map type inspect ip-options UM_STATIC_IP_OPTIONS_MAP

 parameters

  eool action allow

  nop action allow

  router-alert action allow

policy-map global_policy

 class inspection_default

  **inspect dns preset_dns_map**

 

5 Replies 5

tvotna
Spotlight
Spotlight

‎11-16-2023 07:17 AM

I guess the only way is to somehow create new inspection policy with Flexconfig and apply it. DNS inspection is a feature of Lina, so prefilter policy won't help here.

 

policy-map type inspect dns new_dns_map
 parameters
  no message-length maximum client
  no message-length maximum
  no message-length maximum server

policy-map global_policy
 class inspection_default
  inspect dns new_dns_map

 

MHM Cisco World
VIP
VIP

‎11-16-2023 07:23 AM

Your config is correct but you need to inspect dns under new class not under default class map.

Ex:-

policy-map global_policy

class inspection_default

  no inspect dns

class-map inspect_dns 

  inspect dns

service-policy global_policy global

karenr022
Level 1
Level 1

‎11-16-2023 07:42 AM

It seems the issue lies in the inspection policy that restricts DNS packet sizes to a maximum of 512 bytes, causing the dropping of packets larger than that size due to the default DNS inspection configuration on your firewall.

policy-map type inspect dns custom_dns_map
 parameters
  message-length maximum maximum
  no tcp-inspection

 Then, apply this custom policy specifically to the traffic that requires EDNS support:

policy-map global_policy
class inspection_default
inspect dns custom_dns_map

 

Micccc4
Level 1
Level 1

‎11-21-2023 02:57 AM

Thanks fro your comments @tvotna @karenr022 @MHM Cisco World  - at the end I have used the predifined in FMC flexconfig template to disable DNS inspection to get DNSSEC to work (it worked fine).. I did not manage changing the maximum message-length.. though but that is probably sth wrong with my felxconfig most 

MHM Cisco World
VIP
VIP
In response to Micccc4

‎11-21-2023 03:39 AM

Glad your issue solve 

Have a nice day 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card