Source port 53, being attacked or legit?

c0ldshadow · ‎07-13-2009

Hi, I have an ASA 5505 with many of the following types of errors appearing in my logs:

%ASA-4-410001: Dropped UDP DNS reply from outside:64.236.1.107/53 to inside:10.1.1.1/25051; packet length 518 bytes exceeds configured limit of 512 bytes

%ASA-4-410001: Dropped UDP DNS reply from outside:192.33.4.12/53 to inside:10.1.1.1/14416; packet length 543 bytes exceeds configured limit of 512 bytes

%ASA-4-410001: Dropped UDP DNS reply from outside:192.33.4.12/53 to inside:10.1.1.1/52513; packet length 543 bytes exceeds configured limit of 512 bytes

%ASA-4-410001: Dropped UDP DNS reply from outside:192.228.79.201/53 to inside:10.1.17.6/19901; packet length 543 bytes exceeds configured limit of 512 bytes

some of the source addresses appear to be legit root servers.. but are these being spoofed? It seems odd the root servers would launch an attack

I am using these rules:

dns-guard

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

id-randomization

id-mismatch count 10 duration 2 action log

match header-flag RD

log

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

Please advise

Thanks

Collin Clark · ‎07-13-2009

The queries are going the other way. They are sourcing from your internal clients (10.1.1.1 and 10.1.17.6). This is typical if these are your DNS forwarders or they are configured to use the root hints. You might want to increase the message length for DNS, 512 tends to be a little too small.

Hope that helps.

c0ldshadow · ‎07-13-2009

thanks for the feedback, collin

yeah i was trying to trouble shoot over 10000 connections being taken up by the ASA but i can't figure out whats causing it. at least once a day it goes over the limit