Network technologies and trends

Apr 25 2011   5:10AM GMT

DNS Queries in Windows 2008 R2 Server fails – Part 2

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

In my previous post I was talking about the DNS query problem we were facing with Windows 2008 R2 server. The solution is quite simple. Immediately I started monitoring the logs in the Cisco PIX 525 firewall using ADSM and syslog. I figured out the DNS queries were replied back from the ISP but were dropped by the Cisco PIX 525 Firewall.

%PIX-4-410001: Dropped UDP DNS reply from outside:x.x.x.x/53 to

inside:y.y.y.y/49746; packet length 768 bytes exceeds configured limit of 512

I was wondering what might be the reason, then figured out the packets received from ISP is of 768 bytes whereas by default the Cisco PIX 525 Firewall allows 512 bytes as shown below.

The problem was with the default DNS inspection policy-map. By default in Cisco PIX 525, Cisco ASA it’s configured to 512 bytes

The moment I changed the default DNS inspection policy-map from 512 bytes to 1000 bytes things were normal the Windows 2008 R2 Server was resolving the DNS queries.

The commands I used to change the default DNS inspection policy-map is as follows.

MBGF-DAC-525-FW01# configure t

MBGF-DAC-525-FW01(config)# class-map inspection_default

MBGF-DAC-525-FW01(config-cmap)# match default-inspection-traffic

MBGF-DAC-525-FW01(config-cmap)# policy-map global_policy

MBGF-DAC-525-FW01(config-pmap)# class inspection_default

MBGF-DAC-525-FW01(config-pmap-c)# inspect dns maximum-length 1000


 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: