Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DNS Inspect on FWSM module

We picked up a strange problem on the FWSM . DNS Queries sent to UDP 53 for the DNS services hosted on a Linux server failed to work .

DNS INSPECT on the Firewalls had to be turned off & DNS tests were fired again to get this working .  Is this a know problem or do we have a workaround instead of disabling the INSPECT feature .

Cisco Employee

Re:DNS Inspect on FWSM module


It should not be a problem. Common issues would be the size of the DNS packets, Normally the ASA only supports 512, if it exceeds that (due to the use of secure DNS) it will start dropping them.

Turn on the logs and do a couple of tests if possible.

Sent from Cisco Technical Support Android App


DNS Inspect on FWSM module

normally 512bytes for a DNS query is more than requested, then off limits of this size, may be considered an attack, like DNS Cache poisoning or something related.

Check what is doing your default policy on DNS Inspection before disabling that.

and please paste some logs regarding what is show for DNS Inspection on those.

Had a great day and rate if this works for you.

had a great day . best regards, and rate if you'll find this post useful
Cisco Employee

DNS Inspect on FWSM module

With the introduction of DNSsecurity large DNS requests would require authentication. This was first introduced in version 8.2 of the ASA firewall when we changed from the fixed size of 512 Bytes to Auto.

The FWSM was left behind because it was either way going to be replaced by the ASA-SM.

I remember this issue when the Windows Server 2008 came out.

I would rather check exactly why the packet is being dropped with the logs rather than doing any suggestions.


CreatePlease login to create content