as recent increases in DNSSEC deployment are exposing problems with DNS resolvers that cannot receive large responses:
WHICH ARE THE CONFIGURATION OPTION AVAILABLE FOR DNS ON CISCO IOS FIREWALL and IOS ZONE BASED FIREWALL ?
The maximim reply size between a DNS server and resolver may be limited by a number of factors:
- If a resolver does not support the Extension Mechanisms for DNS (EDNS), replies are limited to 512 bytes.
- The resolver may be behind a firewall that blocks IP fragments.
- Some DNS-aware firewalls block responses larger than 512 bytes.
DNSSEC responses may not fit into one 512-byte UDP packet. When UDP queries fail, clients may revert automatically to TCP. Where both TCP and EDNS0 are not supported, DNS queries on signed domains may fail.
This setting is enforced by Deep Inspection and can be changed with the following command:
set di service dns udp_message_limit 512 - 4096
The default size is 512
PIX / ASA / FWSM
DNS message size limitations:
DNS amplification and reflection attacks are more effective when leveraging large DNS messages than small DNS message sizes. The message-length parameters submode command for policy-map type inspect dns can be used to ensure that message sizes to not exceed a specified size thus reducing the efficiency of these attacks.
This feature is available beginning with software release 7.2(1) for Cisco ASA and Cisco PIX Firewalls. This feature is available beginning with software release 3.1 for FWSM Firewalls. This function is enabled by default with a limit of 512 bytes.
For example, in earlier versions of PIX (6.3.2 and below), you had to manually configure the DNS fixup to permit DNS packets with the longer length :
fixup protocol dns maximum-length 4096
in more recent versions, it would be covered by :
policy-map type inspect dns preset_dns_map
message-length maximum 4096
or to increase the response size length:
inspect dns maximum-length 4096