08-23-2017 10:59 AM - edited 02-21-2020 06:14 AM
I'm having an issue on my DMZ with long DNS lookups. A Cisco ESA (Email Security Appliance) sometimes quarentines email because of DMARC failure. In reality it is not able to obtain the full SPF record because it is longer than 512 bytes, and for whatever reason when trying to get the DNS record from our internal Windows DNS servers on the LAN, its trucated and incrorect. If I change it to look at an external DNS address such as 8.8.8.8, it is able to retrieve the entire DNS txt record via TCP.
This is through an ASA5525X
I have these settings but I thought having the maximum message-length set so high it would resolve this issue, however it does not. If I search our firewall config for DNS I find it in these lines:
dns-guard
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 65535
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
Here are our Internal DNS servers on the 10.x.x.x. network. ESA is on the 192.168.1.0 network.
access-list dmz_access_in extended permit udp 192.168.1.0 255.255.255.0 host 10.1.1.1 eq domain
access-list dmz_access_in extended permit udp 192.168.1.0 255.255.255.0 host 10.1.1.2 eq domain
access-list dmz_access_in extended permit udp 192.168.1.0 255.255.255.0 host 10.30.1.1 eq domain
access-list dmz_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 10.1.1.1 eq domain
access-list dmz_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 10.1.1.2 eq domain
08-23-2017 09:42 PM
08-28-2017 06:49 AM
Well we ended up going a different route as suggested by TAC for our Email Security Appliance.
We put the two OpenDNS servers DNS IP addresses in, and then for an override we put our internal DNS server IP addresses for our domain name.
So now as email comes in, the ESA queries to OpenDNS, it gets the larger SPF TXT records that sometimes require TCP instead of UDP responses. It can evaluate it correctly, mark the SPF as pass and deliver the mail message.
The appliance can still talk to our internal mail server because it has a dns over ride for our domain name only. So far everything seems to be working normally.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide