DNS dropped because packets to big for configured 512?

Unanswered Question
Sep 14th, 2007

192.33.4.12 master Dropped UDP DNS reply from outside:192.33.4.12/53 to inside:master/53; packet length 536 bytes exceeds configured limit of 512 bytes

Should I increase my configured length or is this an attempt at an exploit of some sort??

TIA!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Fri, 09/14/2007 - 18:53

you can safely increase the dns packet length to 1500 , 512 is the default.

"fixup protocol dns maximum-length 1500 "

Background fixup protocol dns

Use the fixup protocol dns command to specify the maximum DNS packet length. DNS requires application inspection so that DNS queries are not subject to the generic UDP handling based on activity timeouts. Instead, UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query has been received.

The port assignment for the Domain Name System (DNS) is not configurable.

Set the maximum length for the DNS fixup as shown in the following example:

pixfirewall(config)# fixup protocol dns maximum-length 1500

pixfirewall(config)# show fixup protocol dns

fixup protocol dns maximum length 1500

Jorge

kcaporaso Sat, 09/15/2007 - 04:30

Thanks again, Jorge! Trying to understand the ASA better. BTW, The "show fixup protocol dns" command doesn't seem to work on my ASA 5505, but it did take the fixup to the allowed length!

Result of the command: "show fixup protocol dns"

show fixup protocol dns

^

ERROR: % Invalid input detected at '^' marker.

Actions

This Discussion