DNS replies causing over 10000 conns

Unanswered Question
Jul 15th, 2009
User Badges:

i have an asa 5505 guarding a single web server. it is running dns. ports 80tcp and 53udp/tcp are opened.



the problem is that every once and a while my server sends out a large amount of DNS replies causing it to go over 10000 conn limit (replies to initial request from DNS servers).


i tried doing:


policy-map type inspect dns preset_dns_map

parameters

message-length maximum 768

id-randomization

id-mismatch count 10 duration 2 action log



this is blocking some of the replies that are over 768 bytes. i noticed some replies are up to 1200 bytes even.


any idea how i can solve this problem? my goal is to prevent the device from going over 10000 conns but not interfere with legitimate traffic...


thanks a ton!


-c0ld

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mchin345 Tue, 07/21/2009 - 05:50
User Badges:
  • Silver, 250 points or more

You need to do cl xlate to resolve it.


Still you are getting issue then makesure you may be hitting the DNS idle time bug. If you are hitting this bug the upgrade it.


srue Tue, 07/21/2009 - 06:13
User Badges:
  • Blue, 1500 points or more

Do you mean for this dns server to be a public dns server? not sure what dns server you're using, but if it's windows there is no way to block who can use it as a caching dns server. BIND can though.

you may want to look at an alternative dns solution for internet users to resolve your public facing hosts (eg everydns.net), and then keep your internal dns server just for local users - that way you can close tcp/udp 53.

Actions

This Discussion