1. Home
  2. Cisco Systems
  3. Problem with ASA and Windows Server 2008 DNS

Problem with ASA and Windows Server 2008 DNS

Hi,

I believe I have an issue with the ASA not allowing specific EDNS0 packets going through the firewall. I am using a standard SBS Server

2008 setup on the LAN, and that is using DNS root hints to get the records.

From time to time certain DNS records (eg

formatting link
and a couple of others) are not resolvable through the LAN, I get a server failure when doing a dig/nslookup.

I changed the DNS parameter in the firewall to allow packets up to

4096 through using the inspect DNS option, but this seems to not do much.

Anyone else have any suggestions?

Thanks. Andrew.

Reply to
Andrew Hodgson
Loading thread data ...

What is the best way of logging this? Currently don't log to syslog, and I don't know when this is likely to happen.

I am sort of new to the whole ASA thing...

Andrew.

Reply to
Andrew Hodgson

Thanks, I managed to get this working in the end, and it is not an issue with the Cisco, but has been escalated through the MS channels as it is an issue which has been found with the Windows Server 2008 DNS implementation! All those hours spent thinking it was an issue with my config!

Thanks. Andrew.

Reply to
Andrew Hodgson

It maybe to late to reply to this thread, but I am having a similar issue with EDNS0 responses as well. I believe my problem is with the ASA. I am able to see the response packets from the server on the outside of the ASA but they do not show up on the DMZ side of the ASA. My DNS server does not even see the response packets. When I disable DNS inspection the process works. An interesting thing did surface when i captured packet on the outside interface of the ASA, I captured the following:

1: 16:53:57.704522 12.171.244.126.62892 > 205.178.144.31.53: udp 53 2: 16:54:02.340467 205.178.144.31.53 > 12.171.244.126.62892: udp 512

I am not sure why the response is showing as UDP 512.

I know I am not providing any solutions but I thought it was interesting none the less.

Reply to
jp.comeau

512 is I guess the length, as is 53.

Th port numbers are shown as a fifth address element. a.b.c.d.e

As mentioned previously the packet length could be significant.

Reply to
bod43

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.