Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DNS dropped because packets to big for configured 512?

192.33.4.12 master Dropped UDP DNS reply from outside:192.33.4.12/53 to inside:master/53; packet length 536 bytes exceeds configured limit of 512 bytes

Should I increase my configured length or is this an attempt at an exploit of some sort??

TIA!

3 REPLIES

Re: DNS dropped because packets to big for configured 512?

you can safely increase the dns packet length to 1500 , 512 is the default.

"fixup protocol dns maximum-length 1500 "

Background fixup protocol dns

Use the fixup protocol dns command to specify the maximum DNS packet length. DNS requires application inspection so that DNS queries are not subject to the generic UDP handling based on activity timeouts. Instead, UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query has been received.

The port assignment for the Domain Name System (DNS) is not configurable.

Set the maximum length for the DNS fixup as shown in the following example:

pixfirewall(config)# fixup protocol dns maximum-length 1500

pixfirewall(config)# show fixup protocol dns

fixup protocol dns maximum length 1500

Jorge

New Member

Re: DNS dropped because packets to big for configured 512?

Thanks again, Jorge! Trying to understand the ASA better. BTW, The "show fixup protocol dns" command doesn't seem to work on my ASA 5505, but it did take the fixup to the allowed length!

Result of the command: "show fixup protocol dns"

show fixup protocol dns

^

ERROR: % Invalid input detected at '^' marker.

Re: DNS dropped because packets to big for configured 512?

Hi Kevin, try " show fixup ", in any case, is the udp dns reply still being droped ?

BTW, here is a good link to CLI reference by ASA version that gives you at least a brief explanation, but of course if in doubt it is good to ask.

http://www.cisco.com/en/US/products/ps6120/prod_command_reference_list.html

Rgds

Jorge

5453
Views
5
Helpful
3
Replies