Posted by: Yasir Irfan
ADSM, Blade servers, Cisco ASA, Cisco PIX 525, Cisco PIX 525 firewall, default DNS inspection policy-map, DMZ zone, DNS forwarder, DNS Queries, DNS Queries in Windows 2008 R2 Server, DNS Queries in Windows 2008 R2 Server fails, Internal Network, Internet, internet IP address, ISP, Network technologies & trends, PAT, Servers, Syslog, Windows 2008 R2 Server
In my previous post I was talking about the DNS query problem we were facing with Windows 2008 R2 server. The solution is quite simple. Immediately I started monitoring the logs in the Cisco PIX 525 firewall using ADSM and syslog. I figured out the DNS queries were replied back from the ISP but were dropped by the Cisco PIX 525 Firewall.
%PIX-4-410001: Dropped UDP DNS reply from outside:x.x.x.x/53 to
inside:y.y.y.y/49746; packet length 768 bytes exceeds configured limit of 512
I was wondering what might be the reason, then figured out the packets received from ISP is of 768 bytes whereas by default the Cisco PIX 525 Firewall allows 512 bytes as shown below.
The problem was with the default DNS inspection policy-map. By default in Cisco PIX 525, Cisco ASA it’s configured to 512 bytes
The moment I changed the default DNS inspection policy-map from 512 bytes to 1000 bytes things were normal the Windows 2008 R2 Server was resolving the DNS queries.
The commands I used to change the default DNS inspection policy-map is as follows.
MBGF-DAC-525-FW01# configure t
MBGF-DAC-525-FW01(config)# class-map inspection_default
MBGF-DAC-525-FW01(config-cmap)# match default-inspection-traffic
MBGF-DAC-525-FW01(config-cmap)# policy-map global_policy
MBGF-DAC-525-FW01(config-pmap)# class inspection_default
MBGF-DAC-525-FW01(config-pmap-c)# inspect dns maximum-length 1000