Found this while doing some ASA work.
From - http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/inspect-basic.html#pgfId-2486925
Quote
Defaults for DNS Inspection
DNS inspection is enabled by default, using the preset_dns_map inspection class map:
The maximum DNS message length is 512 bytes.
Then from - http://www.cisco.com/c/en/us/about/security-center/dnssec-best-practices.html
Quote
Potential Networking Challenges with DNSSEC Deployment
The networking-specific challenges from DNSSEC are largely the result of the differences mentioned previously: increased packet sizes, EDNS requirements and the more frequent use of TCP. Many firewall devices incorrectly limit DNS responses to 512 and prohibit DNS over TCP.
Gave me a good laugh.
-Otanx
:haha1:
:haha3:
Cisco BUs are pretty much separate companies. Its so aggravating and I could only imagine the hell that SEs have to deal with. FTS
The problem with big companies is that there are both economies of scale and inefficiencies of scale. CEO's can say "everyone use the same policy and talk to each other!" Then everyone nods, pretends to listen, and carries on as before.
Sent from my SM-N900P using Tapatalk
Quote from: Netwörkheäd on February 20, 2016, 04:14:26 PM
The problem with big companies is that there are both economies of scale and inefficiencies of scale. CEO's can say "everyone use the same policy and talk to each other!" Then everyone nods, pretends to listen, and carries on as before.
Sent from my SM-N900P using Tapatalk
Truth.
Anyway - Otanx, that's pretty funny. :rofl:
Also shows you have great attention to detail - my ADD probably would have missed that ;P
Yes we used to get this all the time for older customers in England. Then we made base configs and had this changed to 4096. The other "fix" was disable dns sec on the windows dns server.
I havent run in to issues on my set up though but this thread has reminded me to check what ive done on ours.
Is the link in the OP still current? It mentions PIX config. The guide says to set the DNS inspection size to 4096. I checked my ASA here and and it can be increased from 512 to 65535. I've set it just now to 4096.
I'm surprised I've not seen any DNS sec issues, though. We're using Windows 2012 DNS servers.
The first link is for ASA 9.3 code. The second link I don't know how old it is, but it is what shows up when you Google for "Cisco ASA DNSSEC". I found these because I was actually looking for ESMTP inpection docs. I found that by default ESMTP inspection disables STARTTLS. So I started wondering about DNSSEC, and ran into this.
-Otanx
Quote from: Otanx on February 29, 2016, 05:15:21 PM
The first link is for ASA 9.3 code. The second link I don't know how old it is, but it is what shows up when you Google for "Cisco ASA DNSSEC". I found these because I was actually looking for ESMTP inpection docs. I found that by default ESMTP inspection disables STARTTLS. So I started wondering about DNSSEC, and ran into this.
-Otanx
Thanks mate.
FYI, to get inbound SMTP working I've always had to disable ESMTP inspection. Else email just don't work.
That's quite funny :-)
Funny but true. It's like the first thing you do with an edge firewall.
Quote from: Dieselboy on March 01, 2016, 12:53:21 AM
Quote from: Otanx on February 29, 2016, 05:15:21 PM
The first link is for ASA 9.3 code. The second link I don't know how old it is, but it is what shows up when you Google for "Cisco ASA DNSSEC". I found these because I was actually looking for ESMTP inpection docs. I found that by default ESMTP inspection disables STARTTLS. So I started wondering about DNSSEC, and ran into this.
-Otanx
Thanks mate.
FYI, to get inbound SMTP working I've always had to disable ESMTP inspection. Else email just don't work.
Yep, this is what I kept hearing. From what I can tell it is because the ASA does not cache the packets so if the command is split between packets then it does not recognize the command, and breaks it. I was hoping to leave it on, but I don't think I will.
-Otanx
Quote from: Otanx on March 01, 2016, 11:58:07 AM
Quote from: Dieselboy on March 01, 2016, 12:53:21 AM
Quote from: Otanx on February 29, 2016, 05:15:21 PM
The first link is for ASA 9.3 code. The second link I don't know how old it is, but it is what shows up when you Google for "Cisco ASA DNSSEC". I found these because I was actually looking for ESMTP inpection docs. I found that by default ESMTP inspection disables STARTTLS. So I started wondering about DNSSEC, and ran into this.
-Otanx
Thanks mate.
FYI, to get inbound SMTP working I've always had to disable ESMTP inspection. Else email just don't work.
Yep, this is what I kept hearing. From what I can tell it is because the ASA does not cache the packets so if the command is split between packets then it does not recognize the command, and breaks it. I was hoping to leave it on, but I don't think I will.
-Otanx
let if flow through, there are various ways to limit/control mail commands at the DMZ mail relay server, or internal server if you really needed to
I didn't know why ESMTP inspection broke SMTP, but if you telnet to the SMTP server receive port through the ASA and issued EHLO then you get something back like:
*************************************
220
*************************************
Which isn't normal.
Standard operating procedure for ASA:
- disable ESMTP inspection
- disable SQL inspection
- disable SIP inspection
....... aaaaand ah sod it, disable ALL the inspections aside from basic TCP/UDP
We were actually close to disabling all the inspections on all of our internal ASAs because of the problems they created (especially ESMTP). We never pulled the trigger, though
Quote from: Dieselboy on March 01, 2016, 07:58:41 PM
I didn't know why ESMTP inspection broke SMTP, but if you telnet to the SMTP server receive port through the ASA and issued EHLO then you get something back like:
*************************************
220
*************************************
Which isn't normal.
That is the banner block that the ASA does. To prevent fingerprinting of the mail server the ASA will replace all EHLO response text except the 220 with asterisks.
-Otanx
Otanx - thanks for explaining that to me mate :)