eDNS & ASA issues

nelnel Member Posts: 2,859 ■□□□□□□□□□

I have a customer that is using a asa 8.2 and has just upgraded their DNS server to server 2008 R2. We have intermittent issues where DNS resolution fails as a result of the ASA not supporting eDNS. Reading up on eDNS, it would appear that packet sizes can reach 4096 bytes. However, the DNS inspection on the ASA appears to default to a maximum of 512 bytes due to the following test results:

"x.x.x.x DNS reply size limit is at least 490"
"x.x.x.x lacks EDNS, defaults to 512"

x.x.x.x is the IP of the ASA.

Now, first port of call was to increase the size of the accepted DNS packets in the policy map:

policy-map type inspect dns migrated_dns_map_1
message-length maximum 4096

Ive also tried the fixup command:

fixup protocol dns maximum-length 4096

From the google searches ive performed ive also tried the following command under the policy:

message-length maximum client auto

But still nothing. ive opened a case with cisco TAC but are just wondering if any of you have ran into this issue? Im just wondering whether we need to upgrade the OS or something.

Xbox Live: Bring It On

Bsc (hons) Network Computing - 1st Class
WIP: Msc advanced networking
Sign In or Register to comment.