Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8758
Views
5
Helpful
3
Replies

DNS dropped because packets to big for configured 512?

kcaporaso
Level 1
Level 1

‎09-14-2007 12:06 PM - edited ‎03-05-2019 06:29 PM

192.33.4.12 master Dropped UDP DNS reply from outside:192.33.4.12/53 to inside:master/53; packet length 536 bytes exceeds configured limit of 512 bytes

Should I increase my configured length or is this an attempt at an exploit of some sort??

TIA!

Labels:
0 Helpful
3 Replies 3

JORGE RODRIGUEZ
Level 10
Level 10

‎09-14-2007 06:53 PM

you can safely increase the dns packet length to 1500 , 512 is the default.

"fixup protocol dns maximum-length 1500 "

Background fixup protocol dns

Use the fixup protocol dns command to specify the maximum DNS packet length. DNS requires application inspection so that DNS queries are not subject to the generic UDP handling based on activity timeouts. Instead, UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query has been received.

The port assignment for the Domain Name System (DNS) is not configurable.

Set the maximum length for the DNS fixup as shown in the following example:

pixfirewall(config)# fixup protocol dns maximum-length 1500

pixfirewall(config)# show fixup protocol dns

fixup protocol dns maximum length 1500

Jorge

Jorge Rodriguez

kcaporaso
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎09-15-2007 04:30 AM

Thanks again, Jorge! Trying to understand the ASA better. BTW, The "show fixup protocol dns" command doesn't seem to work on my ASA 5505, but it did take the fixup to the allowed length!

Result of the command: "show fixup protocol dns"

show fixup protocol dns

^

ERROR: % Invalid input detected at '^' marker.

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to kcaporaso

‎09-15-2007 09:07 AM

Hi Kevin, try " show fixup ", in any case, is the udp dns reply still being droped ?

BTW, here is a good link to CLI reference by ASA version that gives you at least a brief explanation, but of course if in doubt it is good to ask.

http://www.cisco.com/en/US/products/ps6120/prod_command_reference_list.html

Rgds

Jorge

Jorge Rodriguez
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card