09-14-2007 12:06 PM - edited 03-05-2019 06:29 PM
192.33.4.12 master Dropped UDP DNS reply from outside:192.33.4.12/53 to inside:master/53; packet length 536 bytes exceeds configured limit of 512 bytes
Should I increase my configured length or is this an attempt at an exploit of some sort??
TIA!
09-14-2007 06:53 PM
you can safely increase the dns packet length to 1500 , 512 is the default.
"fixup protocol dns maximum-length 1500 "
Background fixup protocol dns
Use the fixup protocol dns command to specify the maximum DNS packet length. DNS requires application inspection so that DNS queries are not subject to the generic UDP handling based on activity timeouts. Instead, UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query has been received.
The port assignment for the Domain Name System (DNS) is not configurable.
Set the maximum length for the DNS fixup as shown in the following example:
pixfirewall(config)# fixup protocol dns maximum-length 1500
pixfirewall(config)# show fixup protocol dns
fixup protocol dns maximum length 1500
Jorge
09-15-2007 04:30 AM
Thanks again, Jorge! Trying to understand the ASA better. BTW, The "show fixup protocol dns" command doesn't seem to work on my ASA 5505, but it did take the fixup to the allowed length!
Result of the command: "show fixup protocol dns"
show fixup protocol dns
^
ERROR: % Invalid input detected at '^' marker.
09-15-2007 09:07 AM
Hi Kevin, try " show fixup ", in any case, is the udp dns reply still being droped ?
BTW, here is a good link to CLI reference by ASA version that gives you at least a brief explanation, but of course if in doubt it is good to ask.
http://www.cisco.com/en/US/products/ps6120/prod_command_reference_list.html
Rgds
Jorge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide