Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
251
Views
0
Helpful
2
Replies

Having issue with long DNS lookups

keithsauer507
Level 5
Level 5

‎08-23-2017 10:59 AM - edited ‎02-21-2020 06:14 AM

I'm having an issue on my DMZ with long DNS lookups.  A Cisco ESA (Email Security Appliance) sometimes quarentines email because of DMARC failure.  In reality it is not able to obtain the full SPF record because it is longer than 512 bytes, and for whatever reason when trying to get the DNS record from our internal Windows DNS servers on the LAN, its trucated and incrorect.  If I change it to look at an external DNS address such as 8.8.8.8, it is able to retrieve the entire DNS txt record via TCP.

 

This is through an ASA5525X

I have these settings but I thought having the maximum message-length set so high it would resolve this issue, however it does not.  If I search our firewall config for DNS I find it in these lines:

 

dns-guard

 

 

policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 65535
policy-map global_policy
class inspection_default
inspect dns preset_dns_map

 

Here are our Internal DNS servers on the 10.x.x.x. network.  ESA is on the 192.168.1.0 network.

 

access-list dmz_access_in extended permit udp 192.168.1.0 255.255.255.0 host 10.1.1.1 eq domain
access-list dmz_access_in extended permit udp 192.168.1.0 255.255.255.0 host 10.1.1.2 eq domain
access-list dmz_access_in extended permit udp 192.168.1.0 255.255.255.0 host 10.30.1.1 eq domain
access-list dmz_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 10.1.1.1 eq domain
access-list dmz_access_in extended permit tcp 192.168.1.0 255.255.255.0 host 10.1.1.2 eq domain

 

 

Labels:
0 Helpful
2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

‎08-23-2017 09:42 PM

What happens if you disable DNS inspection?
0 Helpful

keithsauer507
Level 5
Level 5
In response to Philip D'Ath

‎08-28-2017 06:49 AM

Well we ended up going a different route as suggested by TAC for our Email Security Appliance.

 

We put the two OpenDNS servers DNS IP addresses in, and then for an override we put our internal DNS server IP addresses for our domain name.

 

So now as email comes in, the ESA queries to OpenDNS, it gets the larger SPF TXT records that sometimes require TCP instead of UDP responses.  It can evaluate it correctly, mark the SPF as pass and deliver the mail message.

 

The appliance can still talk to our internal mail server because it has a dns over ride for our domain name only.  So far everything seems to be working normally.

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card