i dont think any dns translation is done im sure of it
it jus has standard rules ..
1) by the way can I how can i know or check if any dns translation rules with dns option is done
2) Just to be sure and want to know can the commands for incresing the message length to 4096 where there is allso command inspect dns which i have added could have caused the network bog down and caused my ISP DNS not to resolve my websites. to tell you more the ISP has 4 dns 2 of the dns were resolving and 2 were not and only after repeated followup with the ISP admin ( after 8 hrs the other 2 dns were also OK ) and one of the dns was the primary dns of the isp
Was your DNS preset map for DNS inspection as auto at the very begining? You are right, if you are running version 8.2.2 or later, this problem should go away and the DNS respond will be allowed with the auto option.
Thanks once again guys. really apprecitye your super fast reply
actually when i fisrt ran the below command just to check the current message length
show run policy-map inspect type dns
it showed me that the message length was 512 bytes
i did not see any auto
so i did update the message length with the below commands
policy-map type inspect dns preset_dns_map
message-length maximum 4096
inspect dns preset_dns_map
and after doin this i put the firewall online and things worked fine but after 30 to 45 min or somy network bogged down commpletely .
i tried to find out the problem bu no luck so i reverted back to my linux shorewall firewall and the network was jus as normal as b4
and then i did get compalints from our users tht our websites were not accesable.
i tried to do a dns lookup through google's public dns and it was fine and then tried with my ISP's ns1 and it was not resolving ..
i tried to check with the ns2 n ns3 n ns4 dns servers of the isp and found that ns2 was workin n so also ns4 but not ns1 n ns3 .
only after 8 hrs or so after repeated follwoup ns1 of the isp was resolving.
and as I said in my first post after checking with the isp i was abruptly told that it was my dns problem either i had chnged the ip of the webserver or the a record or some problem with my dns. also the guy claimed he had to update his dns .. i dont know wht he meant by that
so once again sorry for the repeat could this issue have been caused by the above commands
and now could i just if i have the auto option toghther with message-length maximum 512 wd that really help me out or do i need to check something else
i know I am a bit in silly and confused but just wanna make things go right this time
i had this sme query posted in another forum and a guy called RYAN came out with a lovely n wise explanation to the problem i had
i paste what he said so it gonna help us share knowledge
and what he says he perfectly true
My advise is to disable the DNS inspection and I am going to tell you why say that. Basically when DNS inspection is turned (which it is by default) it "translates" or re-writes the A record on a DNS request. That is probably what caused the ISP to think that the DNS record changed and so had not updated on their servers. Below is a link that explains the DNS inspect (DNS rewrite).
as I said before the first time when I disconnected my linux firewall and connected my cisco ASA things were OK but I was not able to resovle my websites from outside
so after googling arround and came about the edns issue and did the following to my ASA
policy-map type inspect dns preset_dns_map > parameters > message-length maximum 4096 > policy-map global_policy > class inspection_default > inspect dns preset_dns_map
after this things worked fine i cd send mail and receive mail from yahoo which earlier i was not able too
but after 30 to 45 min as i mentioned earlier my network began to crawl .
so soon I discoonected my cisco ASA and connectd my linux firewall and my network as as normal immediately
but then i go complain that our websites cd not be resolved
after doing to a nslookup to our upsteam ISP dns i too found that the websites could not be resolved.
this exactly explains what RYAN has said.
now I am still wondering as to why our network could bog down completely and became normal immediately when i disconnected my cisco ASA
would the above commands be resposible too
now on sunday i gonna do the below
policy-map type inspect dns preset_dns_map > parameters >message-length maximum client auto >message-length maximum 512 >policy-map global_policy > class inspection_default and > no inspect dns preset_dns_map
just wanna confirm that i do not miss anything
also since I have other services being inspected guess that would not make a problem ( since class inspection is set to default and only dns ispection is disabled )
just wanna take all the precuations that i dont run into the same trouble as before.
your kind advice and help will be highly appreciated
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :