When you host a public DNS server behind a Cisco ASA 5500 firewall, you might be getting an error log message from the firewall about DNS message length mismatch. This is because by default the DNS inspection engine on the ASA allows a maximum DNS message length of 512 bytes only, as shown below:

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512

This DNS message length parameter is configurable from 512 to 65535, so you can increase this to an appropriate length according to your traffic needs. However, you should take into consideration that the DNS length value of 512 bytes is configured according to RFC 1035, and its not recommended to change it, so that you can avoid DNS amplification attacks.

Related posts:

  1. DNS Security Protection Parameters
  2. Cisco ASA ftp inspection purpose
  3. Cisco ASA 5520

Tagged with:

Filed under: Cisco ASA Configuration

Like this post? Subscribe to my RSS feed and get loads more!