Cisco PIX / ASA and DNSSEC problem approaching on May 5th?

Unanswered Question
Apr 16th, 2010

So by default all Cisco PIX / ASA configs have something along these lines...

policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1 <-- DNS inspection
...

so after May 5th, when DNSSEC is enabled on all root servers, I'd expect many quereies to be over the 512 byte maximum.  See http://www.theregister.co.uk/2010/04/13/dnssec/ if you are not familiar with this.

Does this mean I should change the 512 number to something else? suggestions on that? or should I just disable DNS inspection completely with: "no inspect dns"

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (4 ratings)
Loading.
ROBERTO TACCON Sun, 04/18/2010 - 05:28

Hi Rita,

for example, in earlier versions of PIX (6.3.2 and below), you had to manually configure the DNS fixup to permit DNS packets with the longer length :

fixup protocol dns maximum-length 4096


in more recent versions, it would be covered by :

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096

or to increase the response size length:

policy-map global_policy
class inspection_default
inspect dns maximum-length 4096

HTH

http://www.google.com/profiles/roberto.taccon

dtochilovsky Fri, 04/30/2010 - 08:57

Roberto, so even in the newer version of ASA/FWSM code you would need to manually configure the response size length for DNSSEC?

Are there are any announcements from Cisco about what version are affected?

Thank you.

Dmitry.

Panos Kampanakis Fri, 04/30/2010 - 14:58

If you use "message-length maximum client auto" under the parameter of the dns map in ASA 8.2.2, if EDNS/DNSSec is used, the command will allow DNS replies up to the length specified in the OPT record, so you will not have any issue.

PK

ROBERTO TACCON Sat, 05/01/2010 - 00:33

Hi pkampana (CISCO),

the command message-length maximum client auto on the ASA v. 8.2(2) is the default ?

As you can see without using it the EDNS/DNSSec packets still working:

I have the following default config on my ASA version 8.2(2).

policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map netflow-policy
class netflow-export-class
  flow-export event-type all destination ITL01-FMSDEMO
policy-map global_policy
description Netflow
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp

show service-policy inspect dns

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 1706599, drop 3746, reset-drop 0
        message-length maximum 512, drop 0
        dns-guard, count 560373
        protocol-enforcement, drop 0
        nat-rewrite, count 0

As can be seen the maximum length is 512 bytes, however if I dig an EDNS server I confirm I get much more than 512 bytes!

From my PC running dig

c:\dig> dig @158.43.128.1 +short rs.dns-oarc.net txt

rst.x3827.rs.dns-oarc.net.

rst.x3837.x3827.rs.dns-oarc.net.

rst.x3843.x3837.x3827.rs.dns-oarc.net.

"62.189.58.236 DNS reply size limit is at least 3843"

"62.189.58.236 sent EDNS buffer size 4096"

"Tested at 2010-04-21 13:44:22 UTC"

So current ASAs you do not need to change the configuration at all, the policy-map is just for DNS not EDNS that DNSSEC uses.

Panos Kampanakis Sat, 05/01/2010 - 05:40

Hmm, yes, that is why in one of my earlier posts I had said that 8.2.2 supports DNSSec and left it to that.

EDNS support goes long back to 7.2 and that command was put there to support EDNS (DNSSec uses it). Without the 'client auto' command DNS traffic will stillpass, but if it is EDNS0 packets AND they are larger than the configured DNSmsg length they should be dropped as any other DNS packet larger than the msglength would be. The client auto command resolves this by looking into the DNSquery which is where the msg size is requested and sets the msg-length "dynamically"to match this request.


We have verified the above through testing.

PK

r.taccon wrote:

As can be seen the maximum length is 512 bytes, however if I dig an EDNS server I confirm I get much more than 512 bytes!

From my PC running dig

c:\dig> dig @158.43.128.1 +short rs.dns-oarc.net txt

rst.x3827.rs.dns-oarc.net.

rst.x3837.x3827.rs.dns-oarc.net.

rst.x3843.x3837.x3827.rs.dns-oarc.net.

"62.189.58.236 DNS reply size limit is at least 3843"

"62.189.58.236 sent EDNS buffer size 4096"

"Tested at 2010-04-21 13:44:22 UTC"

So current ASAs you do not need to change the configuration at all, the policy-map is just for DNS not EDNS that DNSSEC uses.

That packet on the wire is is actually smaller than 512 bytes, that's why it passes.

You still need to apply ASA 8.2.2 and the "message-length maximum client auto" parameter.

I applied the above to my ASA5510 this morning and immediately all dns queries are working properly again and there are no more syslogs for exeeding 512 bytes.  See attached pcap for details of now working query.

Panos Kampanakis Fri, 04/16/2010 - 15:23

DNSSec will not work with dns inspection (before 8.2.2), so I would suggest disabling it if you use DNSSec.

DNSSec is supported on the ASA after 8.2.2 though.

I hope it helps.

PK

Przemyslaw Konitz Wed, 04/21/2010 - 01:30

pkampana napisano:

DNSSec will not work with dns inspection (before 8.2.2), so I would suggest disabling it if you use DNSSec.

DNSSec is supported on the ASA after 8.2.2 though.

I hope it helps.

PK


Hello,

how DNSSec in 8.2.2 is supported? I've read Realease notes but could not find any clue about it.

Do I still need to increase message-length?

"policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512"

I've seen 8.3 and as I remember there is the same value of DNS max size

regards

P

tcording Tue, 05/04/2010 - 19:21

Hi Jen

Do we still need to change the message-length maximum 512 to message-length maximum client auto?

The bugID would seem to suggest that it still needs to changed

Troy

Panos Kampanakis Tue, 05/04/2010 - 21:55

You don't need to change them. You can have them both there

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

policy-map type inspect dns preset_dns_map  parameters

  message-length maximum client auto

  message-length maximum 512

This configuration essentially provides the most optimal solution in that it behaves according to RFC/spec and using the 'message-length maximum client auto' line allows the ASA to look into the DNSSEC query packets and set the size accordingly for the subsequent DNSSEC traffic to pass. Note you use both the 'client auto' and the '512' command in tandem as if a non DNSSEC (EDNS0) packet is being processed it will be processed according to the standard or defacto message-length command.

I hope it helps.

PK

Jennifer Halim Wed, 05/05/2010 - 03:07

Hey Troy,

pkampana is absolutely correct. You can keep the "message-length maximum 512" in, and just add the "message-length maximum client auto" line as per the bug.

tasoskypraios Mon, 02/14/2011 - 08:06

Hello,

Could you inform me in which version of FWSM is available the command "message-length maximum client auto"?

Thank you

tasoskypraios Tue, 02/15/2011 - 03:57

Thank you Jennifer for your prompt answer, i will try to increase the maximum length to 1536 bytes.

Actions

This Discussion