[dns-operations] too many round robin RR's / tcp and lookup errors?

Dave Brockman dave at brockmans.com
Sun Sep 16 14:14:55 UTC 2012

Hash: SHA1

On 9/16/2012 6:06 AM, Patrick, Robert (CONTR) wrote:
> DNS inspection at firewalls may be blocking the response, although 
> this should be evident from all platforms, not just from mobile 
> devices.
> You can run a test to determine if there is something in the path 
> restricting DNS packet sizes. 
> https://www.dns-oarc.net/oarc/services/replysizetest
> May not be of much help on a mobile device, but you could run this 
> from your DNS servers looking outbound toward the Internet.
> dig +short rs.dns-oarc.net txt
> As an example, Cisco ASA firewalls prior to version 8.3 by default 
> limit DNS packet size to 512 bytes.
> To change this limit, the configuration must be updated.
> More information is listed here about maximum DNS packet sizes and 
> Cisco firewalls: 
> http://www.cisco.com/web/about/security/intelligence/dnssec.html
> Example fix for Cisco ASA running version 7.x: conf t policy-map
> type inspect dns preset_dns_map parameters message-length maximum
> 4096 end wr mem

- From "behind" the ASA, the line you want in your policy-map parameters
is "message length maximum client auto", I believe.  My template
includes includes both, but from the document you linked:

policy-map type inspect dns preset_dns_map
        message-length maximum client auto
        message-length maximum 512
policy-map global_policy
     class inspection_default
         inspect dns preset_dns_map
service-policy global_policy global

"The configuration shown in Figure 8 will apply inspection to any DNSSEC
packets according to the message-length maximum client auto
configuration command that, as previously stated, will set the length of
the DNSSEC message-length according to the size advertised in the EDNS
packet. All non-DNSSEC DNS packets will continue to honor the packet
size set by the message-length maximum <512> command, depending on the
size specified."


- -- 
"Some things in life can never be fully appreciated nor
understood unless experienced firsthand. Some things in
networking can never be fully understood by someone who neither
builds commercial networking equipment nor runs an operational
network."  RFC 1925
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/


More information about the dns-operations mailing list