Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA issue, DNS error messages getting logged

Hi all

I seem to have an issue with something on my ASA

Im getting logs showing the following

4Jul 22 201316:48:32410001x.x.x.x1026x.x.x.x53Dropped UDP DNS request from Test-link:x.x.x.x/1026 to Outside:x.x.x.x/53; label length 84 bytes exceeds protocol limit of 63 bytes

                  

Any ideas what this is and how I can solve it, I have checked my DNS inspection and the global limit it 1500 at the moment so dont know where to look

cheers

3 REPLIES

Re: ASA issue, DNS error messages getting logged

Hello,

Basically the DNS request contains a host name of which the label is longer than 63 characters. A "label"  is any component between dots in a host name.

In the case of the ASA, the DNS enforcement reads the domain name one label at a time. According to RFC 1034, a label is zero to 63 octets in length.

So the ASA behavior is the expected one,

You cannot tune the DNS inspection to increase the label size, so if you are 100 % sure this is valid traffic you could (NOT recommended) disable the DNS protocol-enforcement which will basically ignore what the RFC says (Again not recommended)

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Re: ASA issue, DNS error messages getting logged

How do I resolve this issue ?

Re: ASA issue, DNS error messages getting logged

Hello Carl,

Well that depends:

-Do you want to get rid of those logs?

-Do you want to maintain the network as secure as possible?

Those are the questions you need to ask and the answers will be:

-Disable the protocol enforcement for the DNS protocol

-Keep the configuration the way it is and investigate the DNS query being created by the user on TestLink interface, make sure is a valid one and is not an attack

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
1784
Views
0
Helpful
3
Replies
CreatePlease to create content