Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
3 posts • Page 1 of 1
Hi,I'm getting following spammed into my syslog all of a sudden from our PIX. The inbound port is always the same but the receiving port varys.%PIX-2-106007: Deny inbound UDP from 18.104.22.168/53 to 63.xxx.xxx.xxx/21465 due to DNS Response.My understanding is that the PIX has something called DNS guard (which I can't turn off) and it matches DNS responses to DNS requests and only allows the first DNS request back in. I assume that this is what is blocking it? How can I prevent continuous errors?If anyone can shed some light for a new PIX user i would appreciate it. Thanks.22.214.171.124 is our ISP (sprint) btw.
The DNS Guard within the PIX does a couple of things, one is that when it sees the DNS request go out, and when it sees the DNS reponse come back in, it verifies that they match up together, and closes down that opening straight away. So basically you can only have one response per request come back through, any subsequent response will be denied and you'll see this error. The usual cause of this error is that 126.96.36.199 took too long to respond, and the query was answered by another DNS server. When that response went through the PIX, the PIX closed down the session, and the later response from 188.8.131.52 was denied. Not usually anything to worry about.In 6.3 code you can turn off the DNS Guard, although I wouldn't recommend this, cause it means DNS packets will be treated as standard UDP packets and time out after 2 minutes rather than straight after the DNS Response. If you do a lot of DNS queries then this will dramatically increase your xlate and conn count, so you'll want to keep an eye on it. The command to turn it off is:<B> no fixup protocol dns</B>