[RHEL5] External DNS request timeout in the first attempt if DNS server is behind a CISCO ASA firewall

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • Firewall CISCO ASA

Issue

  • I've configured an External DNS and configuration looks correct but always in the first request after restart bind service I received timeout. If I try again and send the same request again the reply is ok. What should be the root cause for that behavior?

Resolution

To get your DNS server working fine behind a CISCO ASA firewall you need to change the parameter that limits the size of UDP packet. The default configuration is 512 and you need to change it to 1024.

Note that this is a firewall limit and you need to contact your firewall vendor to obtain more details about this change. However, the easier way to make this change is via:

policy-map global_policy -> class inspection_default -> inspect dns maximum-length 1024

According with vendor documentation the reason for it is:

"The maximum DNS packet length can be configured in a range from 512 to 65,535 bytes. The default packet size is 512 bytes. It is recommended to use a maximum size of 1024 bytes, because several DNS applications use sizes larger than 512 bytes. "  

You can found this text and more information about this subject in official Cisco ASA documentation.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

1 Comments

Note thing changed over years. DNS answers could be sometime bigger than 1024 bytes. As a minimum is considered today 1280 bytes, because every device supporting IPv6 has to support at least MTU of 1280. Maximum should be advertised by DNS server in EDNS extension. It defaults to 4096 bytes in most implementations.