Skip to main content

Cisco ASA 5505 and EDNS issue

resolution: update your running config on your firewall. See below

issue:
I changed my primary internal DNS to run on a RHEL 6.2 system. After that there were noticeable lags occasionally when I would browse.  Upon review of the syslog I noticed messages like the following;

Jan 31 22:44:41 zion named[26381]: success resolving 'p03-bookmarks.icloud.com/A' (in 'icloud.com'?) after reducing the advertised EDNS UDP packet size to 512 octets

I happen to use a Cisco ASA 5505 and I did some digging around.

firewall(config)# show run | grep mess
  message-length maximum 512

So - it turns out the value is set as part of a policy-map.  Let's tune it.


firewall(config)# policy-map type inspect dns preset_dns_map
firewall(config-pmap)# parameters
firewall(config-pmap-p)# no message-length maximum 512
firewall(config-pmap-p)# message-length maximum 4096
firewall(config-pmap-p)# 
firewall(config-pmap-p)# write mem
Building configuration...
Cryptochecksum: 3a1cdf20 91ce7d1e d8b188fc 1ac006fb 


4215 bytes copied in 1.420 secs (4215 bytes/sec)
[OK]
firewall(config-pmap-p)# 

Everything is better... now I just get these errors (and nothing on my side will fix this issue)
Jan 31 22:46:30 zion named[26381]: error (network unreachable) resolving 'thumbnail.newsinc.com/A/IN': 2001:500:90:1::18#53


Comments

Post a Comment

Popular posts from this blog

P2V using dd for KVM-QEMU guest

Preface: I have certainly not exhaustively tested this process.  I had a specific need and found a specific solution that worked. Situation:  I was issued a shiny new laptop running Red Hat Enterprise Linux 7 (with Corp VPN, certs, Authentication configuration, etc...)  The image was great, but I needed more flexibility on my bare metal.  So, my goal was to P2V the corporate image so I could just run it as a VM. * Remove corporate drive and install new SSD * install corp drive in external USB-3 case * Install RHEL 7 on new SSD * dd old drive to a disk-image file in a temp location which will be an image which is the same size as your actual drive (unless you have enough space in your destination to contain a temp and converted image) * convert the raw disk-image to a qcow file while pushing it to the final location - this step should reduce the disk size - however, I believe it will only reduce/collapse zero-byte blocks (not just free space - i.e. if you de...

Sun USS 7100 foo

TIP: put ALL of your LUNs into a designated TARGET and INITIATOR group when you create them.  If you leave them in the "default" group, then everything that does an discovery against the array will find them :-( I'm struggling to recognize a reason that a default should even be present on the array. Also - who, exactly, is Sun trying to kid.  The USS is simply a box.. running Solaris .. with IPMP and ZFS.  Great.  If you have ever attempted to "break-in" or "p0wn" your IBM HMC, you know that there are people out there that can harden a box - then.. there's Sun.  After a recent meltdown at the office I had to get quite intimate with my USS 7110 and learned quite a bit.  Namely: there's a shell ;-) My current irritation is how they attempt to "warn you" away from using the shell (my coverage expired a long time ago to worry about that) and then how they try to hide things, poorly. I was curious as to what version of SunOS it ...

"Error getting authority: Error initializing authority: Could not connect: No such file or directory (g-io-error-quark, 1)"

"Error getting authority: Error initializing authority: Could not connect: No such file or directory (g-io-error-quark, 1)" One issue that may cause this to arise is if you managed to break your /etc/fstab We had an engineer add a line with the intended options of "nfsvers=3" but instead added "-onfsvers=3" and it broke the system fairly catastrophically.