- Red Hat Enterprise Linux 5
- Firewall CISCO ASA
- I've configured an External DNS and configuration looks correct but always in the first request after restart bind service I received timeout. If I try again and send the same request again the reply is ok. What should be the root cause for that behavior?
To get your DNS server working fine behind a CISCO ASA firewall you need to change the parameter that limits the size of UDP packet. The default configuration is 512 and you need to change it to 1024.
Note that this is a firewall limit and you need to contact your firewall vendor to obtain more details about this change. However, the easier way to make this change is via:
policy-map global_policy -> class inspection_default -> inspect dns maximum-length 1024
According with vendor documentation the reason for it is:
"The maximum DNS packet length can be configured in a range from 512 to 65,535 bytes. The default packet size is 512 bytes. It is recommended to use a maximum size of 1024 bytes, because several DNS applications use sizes larger than 512 bytes. "
You can found this text and more information about this subject in official Cisco ASA documentation.
- Red Hat Enterprise Linux
- Learn more
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.