i have an asa 5505 guarding a single web server. it is running dns. ports 80tcp and 53udp/tcp are opened.
the problem is that every once and a while my server sends out a large amount of DNS replies causing it to go over 10000 conn limit (replies to initial request from DNS servers).
i tried doing:
policy-map type inspect dns preset_dns_map
message-length maximum 768
id-mismatch count 10 duration 2 action log
this is blocking some of the replies that are over 768 bytes. i noticed some replies are up to 1200 bytes even.
any idea how i can solve this problem? my goal is to prevent the device from going over 10000 conns but not interfere with legitimate traffic...
thanks a ton!