Source port 53, being attacked or legit?

Unanswered Question
Jul 13th, 2009
User Badges:

Hi, I have an ASA 5505 with many of the following types of errors appearing in my logs:




%ASA-4-410001: Dropped UDP DNS reply from outside:64.236.1.107/53 to inside:10.1.1.1/25051; packet length 518 bytes exceeds configured limit of 512 bytes

%ASA-4-410001: Dropped UDP DNS reply from outside:192.33.4.12/53 to inside:10.1.1.1/14416; packet length 543 bytes exceeds configured limit of 512 bytes

%ASA-4-410001: Dropped UDP DNS reply from outside:192.33.4.12/53 to inside:10.1.1.1/52513; packet length 543 bytes exceeds configured limit of 512 bytes

%ASA-4-410001: Dropped UDP DNS reply from outside:192.228.79.201/53 to inside:10.1.17.6/19901; packet length 543 bytes exceeds configured limit of 512 bytes



some of the source addresses appear to be legit root servers.. but are these being spoofed? It seems odd the root servers would launch an attack


I am using these rules:


dns-guard


policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

id-randomization

id-mismatch count 10 duration 2 action log

match header-flag RD

log




policy-map global_policy

class inspection_default

inspect dns preset_dns_map



Please advise


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Mon, 07/13/2009 - 05:31
User Badges:
  • Purple, 4500 points or more

The queries are going the other way. They are sourcing from your internal clients (10.1.1.1 and 10.1.17.6). This is typical if these are your DNS forwarders or they are configured to use the root hints. You might want to increase the message length for DNS, 512 tends to be a little too small.


Hope that helps.

c0ldshadow Mon, 07/13/2009 - 15:03
User Badges:

thanks for the feedback, collin


yeah i was trying to trouble shoot over 10000 connections being taken up by the ASA but i can't figure out whats causing it. at least once a day it goes over the limit

Actions

This Discussion