DNS Inspect on FWSM module

prabhanjan_hb · ‎02-27-2014

We picked up a strange problem on the FWSM . DNS Queries sent to UDP 53 for the DNS services hosted on a Linux server failed to work .

DNS INSPECT on the Firewalls had to be turned off & DNS tests were fired again to get this working . Is this a know problem or do we have a workaround instead of disabling the INSPECT feature .

Maykol Rojas · ‎03-03-2014

Hi;

It should not be a problem. Common issues would be the size of the DNS packets, Normally the ASA only supports 512, if it exceeds that (due to the use of secure DNS) it will start dropping them.

Turn on the logs and do a couple of tests if possible.
Mike

Sent from Cisco Technical Support Android App

Mike

INGENIERIA Y CONSULTORIAS WEBREDES LTDA · ‎03-03-2014

normally 512bytes for a DNS query is more than requested, then off limits of this size, may be considered an attack, like DNS Cache poisoning or something related.

Check what is doing your default policy on DNS Inspection before disabling that.

and please paste some logs regarding what is show for DNS Inspection on those.

Had a great day and rate if this works for you.

had a great day . best regards, and rate if you'll find this post useful

Maykol Rojas · ‎03-03-2014

With the introduction of DNSsecurity large DNS requests would require authentication. This was first introduced in version 8.2 of the ASA firewall when we changed from the fixed size of 512 Bytes to Auto.

The FWSM was left behind because it was either way going to be replaced by the ASA-SM.

I remember this issue when the Windows Server 2008 came out.

I would rather check exactly why the packet is being dropped with the logs rather than doing any suggestions.

Mike