I have an 2 internal DNS servers that forward requests to 2 DNS servers on the Internet. All other DNS requests to other Internet DNS servers are blocked by my outbound ACL. I receive thousands of syslog warnings daily about blocked DNS requests due to this ACL.
1. Is this the best way to setup DNS? This is really safe but at the same time causing 10k plus messages per day? Is this causing network congestion at the PIX?
2. Is there a "best practices" approach for DNS that would not result in such heavy syslogging?
> I receive thousands of syslog warnings daily ...
You should troubleshoot using the info from these messages.
Can you give us more info about the blocked requests?
If they originate from an internal workstation/server, you then should check the configuration of that host.
Note that some server applications (like mail servers) have a DNS client with its own configuration besides the DNS configuration of the machine itself.
Note also that some DNS traffic is blocked by the pix built in DNS guard, for example if you get more then 1 reply for a DNS query, the pix will let only the first one through. Or if the DNS reply takes too much time, the pix will time out and tear-down the connection.
I believe the problem is that I am using recursion to resolve queries that are not resolved by my forwarders. I notice a lot of the denies are to the root DNS servers. The other denies to the other DNS servers are probably referrals to DNS servers from the root DNS servers.
1. Should I turn off recursion and only use forwarders for DNS queries. (This is effectively what I have because all queries to all other DNS servers besides my two DNS servers that I use as forwarders are being blocked).
2. Should I allow my internal DNS servers to query any Internet DNS server?
Which one is recommended. I guess it could be a question of security vs perfomance?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...