07-13-2009 03:51 AM - edited 03-11-2019 08:54 AM
Hi, I have an ASA 5505 with many of the following types of errors appearing in my logs:
%ASA-4-410001: Dropped UDP DNS reply from outside:64.236.1.107/53 to inside:10.1.1.1/25051; packet length 518 bytes exceeds configured limit of 512 bytes
%ASA-4-410001: Dropped UDP DNS reply from outside:192.33.4.12/53 to inside:10.1.1.1/14416; packet length 543 bytes exceeds configured limit of 512 bytes
%ASA-4-410001: Dropped UDP DNS reply from outside:192.33.4.12/53 to inside:10.1.1.1/52513; packet length 543 bytes exceeds configured limit of 512 bytes
%ASA-4-410001: Dropped UDP DNS reply from outside:192.228.79.201/53 to inside:10.1.17.6/19901; packet length 543 bytes exceeds configured limit of 512 bytes
some of the source addresses appear to be legit root servers.. but are these being spoofed? It seems odd the root servers would launch an attack
I am using these rules:
dns-guard
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
id-randomization
id-mismatch count 10 duration 2 action log
match header-flag RD
log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
Please advise
Thanks
07-13-2009 05:31 AM
The queries are going the other way. They are sourcing from your internal clients (10.1.1.1 and 10.1.17.6). This is typical if these are your DNS forwarders or they are configured to use the root hints. You might want to increase the message length for DNS, 512 tends to be a little too small.
Hope that helps.
07-13-2009 03:03 PM
thanks for the feedback, collin
yeah i was trying to trouble shoot over 10000 connections being taken up by the ASA but i can't figure out whats causing it. at least once a day it goes over the limit
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: