Cisco ASA and oversized DNSSEC packets

For a while now (may 5th 2011) to be exact, the DNS root servers added the DNSSEC feature. This necessary addition, has the effect that the DNS packets can now exceed the usual 512byte. In a ASA, the configuration is based on previous packet size of 512 byte, so we’ll learn how to change it.

Default config

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512

New configuration

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 4096

This change should fix this problem, and maybe others with Windows 2008 R2 (DNS server) who tends to send voluminous DNS packets.

This entry was posted by David Laperle on %A %B %e%q, %Y at %A %B %e%q, %Y, and is filed under IT Security. Follow any responses to this post through RSS 2.0.You can skip to the end and leave a response. Pinging is currently not allowed.

Comments (0)
Related Posts

Captcha
8 + eight =

Type your comment

You may use these HTML tags: <a> <abbr> <acronym> <b> <blockquote> <cite> <code> <del> <em> <i> <pre> <q> <strike> <strong>
Comment Feed for this Post