Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DNS best practices and syslog

I have two internal DNS servers on my LAN that all the hosts use. Both DNS servers use forwarding to Internet DNS servers that resolve Internet requests. I have statics for both of my internal DNS servers. I have an outbound access-list that blocks all DNS queries except for the queries from my Internal DNS servers to the DNS servers on the forwarders list. I see a lot of syslog messages generated by denies from my Internal DNS servers to Internet DNS servers that are not on the forwarders tab. 2 questions:

1. Will an excessive amount of syslog (35 K messages per day vs 10 K messages per day) messaging slow down traffic through the firewall? Or as long as CPU and mem do not increase, it should not be severely affected?

2. I do not have an inbound access-list allowing return DNS answers from Internet DNS servers to my internal DNS servers. But DNS resolution works fine for my LAN hosts. Is this a correct setup? As long as you have a static, you do not need inbound access-lists because the DNS query was initiated from the inside?



Cisco Employee

Re: DNS best practices and syslog

1. Should be OK, but you'll need to monitor it. Excessive syslogging can certainly cause the PIX to slow down, so depending on how much real traffic you're pushing thru it, in addition to having it generate 35K packets each day, you'll need to keep a close eye on it. CPU and blocks available will be a good resource to tell you how the PIX is performing.

2. The PIX automatically allows return traffic in, so if the DNS traffic originates from the inside and goes out, the reply will automatically be allowed back in, you don't need to specifically allow it with an ACL. This is the same for any traffic in any direction, the reply is always allowed back.

New Member

Re: DNS best practices and syslog


2. TCP and UDP replies are always allowed to come back. ICMP (e.g. echo reply) needs to be specifically defined with an access-list.