Denials due to DNS response

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
Guest

Denials due to DNS response

Post by Guest » Tue Jan 11, 2011 3:36 pm


Hi,I'm getting following spammed into my syslog all of a sudden from our PIX. The inbound port is always the same but the receiving port varys.%PIX-2-106007: Deny inbound UDP from 204.117.214.10/53 to 63.xxx.xxx.xxx/21465 due to DNS Response.My understanding is that the PIX has something called DNS guard (which I can't turn off) and it matches DNS responses to DNS requests and only allows the first DNS request back in. I assume that this is what is blocking it? How can I prevent continuous errors?If anyone can shed some light for a new PIX user i would appreciate it. Thanks.204.117.214.10 is our ISP (sprint) btw.

Guest

Re:Denials due to DNS response

Post by Guest » Tue Jan 11, 2011 3:37 pm


The DNS Guard within the PIX does a couple of things, one is that when it sees the DNS request go out, and when it sees the DNS reponse come back in, it verifies that they match up together, and closes down that opening straight away.  So basically you can only have one response per request come back through, any subsequent response will be denied and you'll see this error.  The usual cause of this error is that 204.117.214.10 took too long to respond, and the query was answered by another DNS server.  When that response went through the PIX, the PIX closed down the session, and the later response from 204.117.214.10 was denied.  Not usually anything to worry about.In 6.3 code you can turn off the DNS Guard, although I wouldn't recommend this, cause it means DNS packets will be treated as standard UDP packets and time out after 2 minutes rather than straight after the DNS Response.  If you do a lot of DNS queries then this will dramatically increase your xlate and conn count, so you'll want to keep an eye on it.  The command to turn it off is:<B>   no fixup protocol dns</B>

Guest

Re:Denials due to DNS response

Post by Guest » Tue Jan 11, 2011 5:15 pm


Thank you much Glenn! Answered all my questions. I will not be turning it off by the way.

Post Reply