Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

DNS replies causing over 10000 conns

i have an asa 5505 guarding a single web server. it is running dns. ports 80tcp and 53udp/tcp are opened.

the problem is that every once and a while my server sends out a large amount of DNS replies causing it to go over 10000 conn limit (replies to initial request from DNS servers).

i tried doing:

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 768

id-randomization

id-mismatch count 10 duration 2 action log

this is blocking some of the replies that are over 768 bytes. i noticed some replies are up to 1200 bytes even.

any idea how i can solve this problem? my goal is to prevent the device from going over 10000 conns but not interfere with legitimate traffic...

thanks a ton!

-c0ld

2 REPLIES
Silver

Re: DNS replies causing over 10000 conns

You need to do cl xlate to resolve it.

Still you are getting issue then makesure you may be hitting the DNS idle time bug. If you are hitting this bug the upgrade it.

Gold

Re: DNS replies causing over 10000 conns

Do you mean for this dns server to be a public dns server? not sure what dns server you're using, but if it's windows there is no way to block who can use it as a caching dns server. BIND can though.

you may want to look at an alternative dns solution for internet users to resolve your public facing hosts (eg everydns.net), and then keep your internal dns server just for local users - that way you can close tcp/udp 53.

154
Views
0
Helpful
2
Replies
CreatePlease to create content