DNS Queries packets dropped

Unanswered Question
May 30th, 2008

Hi all

I have the following set up (as per diagram) and wheni try to issue nslookup command for the webserver from the linux box in vlan 40 (212.xx.xx.xx/29) i get a response from the outside interface of Ralph rather than the dns server 3.45 in Vlan 1. the resolv.conf in linux has the correct nameserver to query so thats ok but when i run the packet tracer, from the dms interface (connect to vlan 40) to the inside interface (vlan1) although the packet gets through it is then dropped with the following message:

(inspect-dns-invalid-pak) DNS Inspect invalid packet. Any ideas? Also, looks like it has something to do with the Service Policy rules, can someone explain what this is?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mchin345 Thu, 06/05/2008 - 05:32

I think this problem with DNS due to a misconfiguration on the internal DNS server not with any other device please check DNS configuration.

Farrukh Haroon Thu, 06/05/2008 - 05:59

Maybe you can change the length in the default inspection on the firewall from 512 to something higher.

You could also check the capture command (or a packet sniffer) to see exactly what kind of DNS request is being generated.

This is the description of this error from Cisco:


DNS Inspect invalid packet

This counter will increment when the security appliance detects an invalid DNS packet. For example, a DNS packet with no DNS header, the number of DNS resource records not matching the counter in the header, etc.

Recommendation: None.

System log messages: None. "

This can be seen by the 'show asp drop' command (which is also checked by the packet-tracer).




This Discussion