DNS dropped because packets to big for configured 512?

Unanswered Question
Sep 14th, 2007
User Badges: master Dropped UDP DNS reply from outside: to inside:master/53; packet length 536 bytes exceeds configured limit of 512 bytes

Should I increase my configured length or is this an attempt at an exploit of some sort??


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
JORGE RODRIGUEZ Fri, 09/14/2007 - 18:53
User Badges:
  • Green, 3000 points or more

you can safely increase the dns packet length to 1500 , 512 is the default.

"fixup protocol dns maximum-length 1500 "

Background fixup protocol dns

Use the fixup protocol dns command to specify the maximum DNS packet length. DNS requires application inspection so that DNS queries are not subject to the generic UDP handling based on activity timeouts. Instead, UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query has been received.

The port assignment for the Domain Name System (DNS) is not configurable.

Set the maximum length for the DNS fixup as shown in the following example:

pixfirewall(config)# fixup protocol dns maximum-length 1500

pixfirewall(config)# show fixup protocol dns

fixup protocol dns maximum length 1500


kcaporaso Sat, 09/15/2007 - 04:30
User Badges:

Thanks again, Jorge! Trying to understand the ASA better. BTW, The "show fixup protocol dns" command doesn't seem to work on my ASA 5505, but it did take the fixup to the allowed length!

Result of the command: "show fixup protocol dns"

show fixup protocol dns


ERROR: % Invalid input detected at '^' marker.


This Discussion