10-04-2002 02:10 PM - edited 03-09-2019 12:34 AM
This log apeared after an upgrade from 5.01 to 6.1.4. . Does any one knows something about it?
Best Regards
Alexi
10-04-2002 03:54 PM
Cisco states from this message: "If the inside port number is 53, it is likely that the inside host is set up as a caching nameserver. Add an access-list command statement to permit traffic on UDP port 53. If the outside port number is 53, the most likely cause is that a DNS server was too slow to respond, and the query was answered by another server."
Options:
-Bug: CSCdv83025
-Can you increase the udp timeout?
-check acl
First option is probably what's happening.
Hope it helps.
Steve
10-05-2002 03:56 PM
Also, keep in mind, that if your DNS resolution is working properly, the pix may simply be denying extra responses.
i.e. Some dns clients send out up to 3 dns requests at a time. After the first response comes back, the pix will deny further dns responses. This helps provide protection from DNS attacks.
HTH
Jeff
10-07-2002 07:16 AM
Hi Thanks for your answers ... some comments
We are using default 2 minutes for UDP timeout. I am not sure if a DNS query and response can take more than that ...
And I din't say it before but besides this message the DNS resolution stopped working .... so if PIX is denying extra responses, at least it would permit the firt response and we would be able to resolve names ... but it isn't so.
I accept all suggestions !!!
Best Regards
Alexi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide