i'm trying to allow DNS through an ASA 5540 but though i have a rule allowing the source to the correct destinations with 'domain' as the service the traffic is being denied
the traffic is udp whilst the domain service is TCP
i've tried adding a new DNS group as TCP-UDP but i get an error saying this is already created but when i try to select this group there are no groups available
any ideas what i'm doing wrong
thanks to anyone taking the time to reply again
Generally I write a rule - that is specific to the src and dst IP's using the tcp/udp port numbers. Group objects are great for large config's for generic services, i.e http - smtp etc. But I like to make troubleshooting easier for myself in these kinds of requirements.
You also need to make sure that the default DNS inspection rule, allow's for larger TCP/DNS queries/replies = max length.