Categories
Welcome Center
Education & Development
Discussions
Certification Preparation
Recent Posts
Groups
Free Resources
Ebooks
Free Workshops
Trending Certifications Infographic
Infosec Training
IT & Security Training
Live Boot Camps
Security Awareness Training
About Infosec Institute
Home
Certification Preparation
Cisco
CCNP (Professional)
eDNS & ASA issues
nel
Hi,
I have a customer that is using a asa 8.2 and has just upgraded their DNS server to server 2008 R2. We have intermittent issues where DNS resolution fails as a result of the ASA not supporting eDNS. Reading up on eDNS, it would appear that packet sizes can reach 4096 bytes. However, the DNS inspection on the ASA appears to default to a maximum of 512 bytes due to the following test results:
"x.x.x.x DNS reply size limit is at least 490"
"x.x.x.x lacks EDNS, defaults to 512"
x.x.x.x is the IP of the ASA.
Now, first port of call was to increase the size of the accepted DNS packets in the policy map:
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 4096
Ive also tried the fixup command:
fixup protocol dns maximum-length 4096
From the google searches ive performed ive also tried the following command under the policy:
message-length maximum client auto
But still nothing. ive opened a case with cisco TAC but are just wondering if any of you have ran into this issue? Im just wondering whether we need to upgrade the OS or something.
cheers
Find more posts tagged with
Save $250 on 2025 certification boot camps from Infosec!
Book now with code EOY2025
Button
Comments
There are no comments yet
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
INFOSEC Boot Camps
$250
OFF
Use code
EOY2025
to receive $250 off your 2025 certification boot camp!
BROWSE BOOT CAMPS
