Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Source port 53, being attacked or legit?

Hi, I have an ASA 5505 with many of the following types of errors appearing in my logs:

%ASA-4-410001: Dropped UDP DNS reply from outside:64.236.1.107/53 to inside:10.1.1.1/25051; packet length 518 bytes exceeds configured limit of 512 bytes

%ASA-4-410001: Dropped UDP DNS reply from outside:192.33.4.12/53 to inside:10.1.1.1/14416; packet length 543 bytes exceeds configured limit of 512 bytes

%ASA-4-410001: Dropped UDP DNS reply from outside:192.33.4.12/53 to inside:10.1.1.1/52513; packet length 543 bytes exceeds configured limit of 512 bytes

%ASA-4-410001: Dropped UDP DNS reply from outside:192.228.79.201/53 to inside:10.1.17.6/19901; packet length 543 bytes exceeds configured limit of 512 bytes

some of the source addresses appear to be legit root servers.. but are these being spoofed? It seems odd the root servers would launch an attack

I am using these rules:

dns-guard

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

id-randomization

id-mismatch count 10 duration 2 action log

match header-flag RD

log

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

Please advise

Thanks

2 REPLIES

Re: Source port 53, being attacked or legit?

The queries are going the other way. They are sourcing from your internal clients (10.1.1.1 and 10.1.17.6). This is typical if these are your DNS forwarders or they are configured to use the root hints. You might want to increase the message length for DNS, 512 tends to be a little too small.

Hope that helps.

New Member

Re: Source port 53, being attacked or legit?

thanks for the feedback, collin

yeah i was trying to trouble shoot over 10000 connections being taken up by the ASA but i can't figure out whats causing it. at least once a day it goes over the limit

1416
Views
0
Helpful
2
Replies
CreatePlease login to create content