ASA 5500 DNS Inspection

[Janesy B]

Having a bit of an issue related to DNS requests being dropped, the people that built the DNS server have given it a clean bill of health so I thought I would check the firewalls.

Currently there is this configuration in place;

policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
  no dns-guard
  no protocol-enforcement
  no nat-rewrite
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map

and if I show the service policy it's indicated that it has dropped over 10k packets

show service-policy inspect dns

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 2785300613, lock fail 0, drop 10769, reset-drop 0
        message-length maximum client auto, drop 0
        message-length maximum 512, drop 0

The only thing that seems out of place is that there's two lines for the max message length, could this be causing a conflict? As all the configuration examples I have seen just show 512 which is the default.
*edit* Just realised having two lines is fine and is the default config for newer ASAs for DNSSec.

Any help would be appreciated.

 

[Uhtred]

What DNS servers do you run? Does it only happen to certain top level domains like .co.uk?

 

[Janesy B]

What DNS servers do you run? Does it only happen to certain top level domains like .co.uk?

No real pattern, sometimes it'll work and others it won't.

Also spotted this;

show asp drop frame inspect-dns-invalid-domain-label
  DNS Inspect invalid domain label (inspect-dns-invalid-domain-label)       4842

Last clearing: Never
pri/act/Venom# show asp drop frame inspect-dns-invalid-pak
  DNS Inspect invalid packet (inspect-dns-invalid-pak)                       126

pri/act/Venom# show asp drop frame inspect-dns-pak-too-long
  DNS Inspect packet too long (inspect-dns-pak-too-long)                    8996

So the ASA is dropping packets, might up the max size to 4096 to see if that alleviates the issue.

 

[Deleted member 138126]

EDNS:

http://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS

According to this forum post:

https://supportforums.cisco.com/dis...ix-asa-and-dnssec-problem-approaching-may-5th

You need minimum ASA 8.2.2 and set the "message-length maximum client auto" parameter.

 

[Deleted member 138126]

Just noticed you have the client auto parameter already, but you also have the 512 parameter (which presumably overrides the auto). I would drop the 512 parameter (leaving the client auto)?

 

[Janesy B]

Seeing it on Cisco configuration examples though, in all fairness 10k packets dropped out of 2 billion isn't a great deal.