Cisco Support Community
Community Member

DNS Requests killing PIX 525


When +/- 800 PCs do a DNS lookup for a domain that does not exist to 8 regional DNS servers which in turn query 2 main DNS servers, the amount of connections for 1 of the DNS servers on the PIX arein excess of 75000 connections, killing the CPU of the PIX running ver 6.3(4).

Is there any way of stopping or limiting the amount of connections the PIX will open for the 2 main DNS servers?


Re: DNS Requests killing PIX 525

hello johan

you have a parameter called max_conns on the static nat statement. you can set this and the pix will block any tcp or udp connections once that number is reached.... you can probably create seperate statics for each dns server and give this limit... just note that any valid dns request after this number will also get dropped. so make sure you define the correct number...

have a look at this URL for more info...

One thing - are all the 75000 entries valid ones ? probably some kinda attack is there on your network. just check on that.


Community Member

Re: DNS Requests killing PIX 525


There is a nat in place with a max connection limit of 3000 and embryonic connection limit of 1000, this did not stop the amount of connection the DNS queries made on the firewall.

Does the max_conns limit UDP?? see the output from a help nat on a PIX firewall and it states TCP only which differs from the command reference guide.


Cisco Employee

Re: DNS Requests killing PIX 525

Hi ,

Check the timeout value configured for UDP connections ,PIX should clear the idle DNS [UDP] connections on its own ,however if you have so many UDP connections then you may be hitting a BUG which was for DNS connections not cleared by pix .it was in 6.2.x ,.

check the "show conn detail" and check whats the idle time for these connections ,if its more than 2 min [which is default timeout value for UDP ] then you are definitely hitting the bug.



CreatePlease to create content