%PIX-2-106007 DNS Response Deny

avenegas · ‎10-04-2002

This log apeared after an upgrade from 5.01 to 6.1.4. . Does any one knows something about it?

Best Regards

Alexi

steve.barlow · ‎10-04-2002

Cisco states from this message: "If the inside port number is 53, it is likely that the inside host is set up as a caching nameserver. Add an access-list command statement to permit traffic on UDP port 53. If the outside port number is 53, the most likely cause is that a DNS server was too slow to respond, and the query was answered by another server."

Options:

-Bug: CSCdv83025

-Can you increase the udp timeout?

-check acl

First option is probably what's happening.

Hope it helps.

Steve

jekrauss · ‎10-05-2002

Also, keep in mind, that if your DNS resolution is working properly, the pix may simply be denying extra responses.

i.e. Some dns clients send out up to 3 dns requests at a time. After the first response comes back, the pix will deny further dns responses. This helps provide protection from DNS attacks.

HTH

Jeff

avenegas · ‎10-07-2002

Hi Thanks for your answers ... some comments

We are using default 2 minutes for UDP timeout. I am not sure if a DNS query and response can take more than that ...

And I din't say it before but besides this message the DNS resolution stopped working .... so if PIX is denying extra responses, at least it would permit the firt response and we would be able to resolve names ... but it isn't so.

I accept all suggestions !!!

Best Regards

Alexi