Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3062
Views
0
Helpful
3
Replies

changing dns to 4096 in ASA

Go to solution
mahesh18
Level 6
Level 6

‎10-26-2015 06:08 PM - edited ‎03-11-2019 11:47 PM

 

Hi everyone.

 

In ASA 5550 if I change the DNS from 512 to 4096 will it cause any outage?

policy-map type inspect dns preset_dns_map
 parameters

  message-length maximum 4096
 

Regards

MAhesh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rvarelac
Level 7
Level 7

‎10-26-2015 10:18 PM

Hi Mahesh , 

 

According to the DNS and DDNS best practices                                                                                      "

Inspection of Large DNS packets through Firewalls or Application Layer Gateways

Devices that perform Application Layer Inspection (ALI) may reject large (greater than 512 bytes) DNS packets.  Cisco ASA and PIX firewall products running pre-8.3 code versions that are configured with the default DNS inspection policy will only permit DNS packets up to 512 bytes. This message-length limit may not be large enough for an organization's internal clients, or for servers advertising that they want to receive and validate DNSSEC resource records. Based on internal testing performed by Cisco Security Research & Operations (SRO), we recommend using a message length size of 4096 bytes. No legitimate DNSSEC packets should be larger than 4096 bytes"

This change on the firewall should not cause any impact to the DNS pass-through traffic , however as any change you made on the firewall is recommended to setup a maintenance window or test environment prior to test.

 

http://www.cisco.com/web/about/security/intelligence/dnssec.html

 

Hope it helps

-Randy-

View solution in original post

0 Helpful
3 Replies 3

Go to solution
rvarelac
Level 7
Level 7

‎10-26-2015 10:18 PM

Hi Mahesh , 

 

According to the DNS and DDNS best practices                                                                                      "

Inspection of Large DNS packets through Firewalls or Application Layer Gateways

Devices that perform Application Layer Inspection (ALI) may reject large (greater than 512 bytes) DNS packets.  Cisco ASA and PIX firewall products running pre-8.3 code versions that are configured with the default DNS inspection policy will only permit DNS packets up to 512 bytes. This message-length limit may not be large enough for an organization's internal clients, or for servers advertising that they want to receive and validate DNSSEC resource records. Based on internal testing performed by Cisco Security Research & Operations (SRO), we recommend using a message length size of 4096 bytes. No legitimate DNSSEC packets should be larger than 4096 bytes"

This change on the firewall should not cause any impact to the DNS pass-through traffic , however as any change you made on the firewall is recommended to setup a maintenance window or test environment prior to test.

 

http://www.cisco.com/web/about/security/intelligence/dnssec.html

 

Hope it helps

-Randy-

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to rvarelac

‎10-29-2015 06:55 AM

Many thanks Randy !

0 Helpful

Go to solution
pravintheprofessional
Level 1
Level 1

‎10-26-2015 10:35 PM

May be it can cause an Buffer memory(RAM) outage because you are using Maximam size of 4096 , syntactically its correct but i didn't think it will suit for the hardware configurations may be it can affect other functionalities of the ASA , You can use the following command which will configure the DNS message size according to the client,

"message-length maximum client auto"

 

Praveen Kumar Balasundaram

 

Spooster IT Services

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card