Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DNS response

Hello,

I am getting following critical log message:

DENY INBOUND UDP from X.Y.Z.1/53 to P.Q.R.2/1025 due to DNS response

No impact on client/server side though. But this is continuosly generating log.Related ACL are allowed for DNS response.

what is causing this message to log.Please advise.

regards

SAS

5 REPLIES

Re: DNS response

Can you please post the complete log line? Also including the Log number.

Regards

Farrukh

Re: DNS response

Hi,

The number of message is 106007.

Explanation : This is a connection-related message. This message is displayed if a UDP packet containing a DNS query or response is denied.

Recommended Action : If the inside port number is 53, the inside host probably is set up as a caching name server. Add an access-list command statement to permit traffic on UDP port 53, and a translation entry for the inside host. If the outside port number is 53, a DNS server was probably too slow to respond, and the query was answered by another server.

Reference: http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp1279764

I hope this helps.

Best regards.

Massimiliano.

New Member

Re: DNS response

thanks for the reply, In fact I had referred to this link and tried allowing required policies but same problem persists... any advices further.

regards

SAS

New Member

Re: DNS response

Hi,

I'm working on the same issue and what I get it that one DNS server has responded and the firewall DNS inspection engine realizes this so it doesn't respond to the DNS query. I don't think its a harmful log message but I'm looking into it further on my end.

Craig

Re: DNS response

Yes this message is normal if you have two servers configured for DHCP relay in the firewall. The first DNS response is allowed through but the second is blocked (and rightly so).

Regards

Farrukh

621
Views
0
Helpful
5
Replies