Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Bronze

DNS Inspection Denial of Service Vulnerability

Advisory ID: cisco-sa-20131009-asa

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa

I have a Pix running version 8.0.4 with the following configuration:

inside interface:      192.168.231.254/255.255.255.0

outside interface:     10.100.2.254/255.255.255.0

no nat-control

access-list test permit ip any any log

access-group test in interface outside

access-group test in interface inside

I have a window 2008R2 residing on the Internal interface of the firewall.  The domain controller resides on the outside interface of the firewall.

I went ahead and implement the change recommended by Cisco

access-list DNS_INSPECT extended permit udp any any

class-map DNS_INSPECT_CP

   match access-list  DNS_INSPECT

policy-map global_policy

   class DNS_INSPECT_CP

     inspect dns preset_dns_map

However, after implement the workaround, my windows 2008R2 machine on the inside network can NOT join with AD on the outside network.

on the log of the firewall I see this:

Oct 31 14:34:09 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61780 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes

Oct 31 14:34:17 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61780 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes

I even change the DNS maximum length to 8192 but it still does not work. 

I remove the recommendation from the configuration, everything works fine after that.

Anyone knows why?

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: DNS Inspection Denial of Service Vulnerability

Hi,

Wasnt your configuration meant to check DNS traffic?

Your ACL catches all UDP traffic since there is no "eq 53" at the end. In the above logs the blocked traffic is destination port 389

So is the problem now the ACL used in the actual MPF configuration?

- Jouni

4 REPLIES

Re: DNS Inspection Denial of Service Vulnerability

Hello,

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 1024

U do not have this command right available at the CLI right

message-length maximum client auto

Then clear-local host try one more time and provide the logs.

Note:

access-list test permit ip any any log

access-group test in interface outside

access-group test in interface inside

That ACL means u have no firewall in place

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Bronze

Re: DNS Inspection Denial of Service Vulnerability

Julio Carvajal wrote:

U do not have this command right available at the CLI right

message-length maximum client auto

     I do

CiscoPix# sh run policy-map

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 1024

  message-length maximum client auto

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect sqlnet

  inspect dns preset_dns_map

class class_sunrpc_tcp

  inspect sunrpc

class DNS_INSPECT_CP

  inspect dns preset_dns_map

!

CiscoPix#

Julio Carvajal wrote:

Then clear-local host try one more time and provide the logs.

Note:

access-list test permit ip any any log

access-group test in interface outside

access-group test in interface inside

That ACL means u have no firewall in place

I am very aware of this.  At this point, it does not matter, it just want the firewall to function like a routing device.

It still does NOT work.  Here is the log:

Oct 31 17:57:25 192.168.231.254 %PIX-6-106100: access-list test permitted udp inside/192.168.231.180(61982) -> outside/10.100.2.128(53) hit-cnt 1 first hit [0x63a9cac7, 0x0]

Oct 31 17:57:25 192.168.231.254 %PIX-6-106100: access-list test permitted udp inside/192.168.231.180(61983) -> outside/10.100.2.128(389) hit-cnt 1 first hit [0x63a9cac7, 0x0]

Oct 31 17:57:25 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61983 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes

Oct 31 17:57:32 192.168.231.254 %PIX-4-410001: Dropped UDP DNS request from inside:192.168.231.180/61983 to outside:10.100.2.128/389; label length 132 bytes exceeds protocol limit of 63 bytes

Oct 31 17:57:33 192.168.231.254 %PIX-6-106100: access-list test permitted udp inside/192.168.231.180(50955) -> outside/10.100.2.128(53) hit-cnt 1 first hit [0x63a9cac7, 0x0]

Super Bronze

Re: DNS Inspection Denial of Service Vulnerability

Hi,

Wasnt your configuration meant to check DNS traffic?

Your ACL catches all UDP traffic since there is no "eq 53" at the end. In the above logs the blocked traffic is destination port 389

So is the problem now the ACL used in the actual MPF configuration?

- Jouni

Bronze

Re: DNS Inspection Denial of Service Vulnerability

I had one too many beers not to see this :-).  Thanks.  everything is working now.

1122
Views
0
Helpful
4
Replies
CreatePlease to create content