Cisco ASA and DNSSEC-Probable Issue with Packet Size

DNSSEC (DNS Security Extensions), a more secure DNS protocol is to be implemented on May 5th. With the rise of DNS Poisoning and Man-in-the-Middle attacks rising, the Domain Name System will be going to a secure version of DNS next month.

The changes will add digital signatures to the DNS protocol. This will reduce the risk that users will be redirected to rogue sites masquerading as the real deal. But these changes are being implemented with caution. Normal DNS packets are under 512 bytes. According the “The Register”, the new secure DNS packets will be much larger than 512 bytes and some existing firewalls could reject them:

Because of this, some pieces of network gear are configured out of the box to reject any UDP packet over 512 bytes on the basis that it’s probably broken or malicious. Signed DNSSEC packets are quite a lot bigger that 512 bytes, and from 5 May all the DNS root servers will respond with signed DNSSEC answers.

The K-root server, operated by the RIPE NCC, is now serving the signed root zone as part of a staged global deployment of DNSSEC across the root zone system. Starting with L-root in January 2010, the root servers began serving the signed root zone in batches in the form of a Deliberately Unvalidatable Root Zone (DURZ). This roll out period is scheduled to end in May 2010 and ICANN is scheduled to sign the root zone with real keys and release the trust anchor after 1 July 2010.

More Info:

Cisco ASA probable issue with DNS packet size:

DNS inspection on the Cisco ASA in enabled by default. The default maximum packet size of DNS is 512 bytes (see below default configuration):

policy-map type inspect dns preset_dns_map
message-length maximum 512

Any DNS packet length larger than 512 bytes will be dropped. Since DNSSEC packets will be greater than 512, I have a suspicion that it will be a problem with the Cisco ASA dropping the DNS packets. I have not tested it but in case you run into DNS problems with your network, it is an issue you will have to consider. Maybe the DNS packet length on the ASA inspection will have to be increased as shown below:


Actually Cisco has released a fix suggestion for the above mentioned problem regarding the DNSSEC packet size. Cisco recommends the following configuration:

policy-map type inspect dns preset_dns_map
message-length maximum client auto

If EDNS is used, the above command will allow DNS replies up to the length specified in the OPT record.

Again, use the above with caution and maybe run a packet sniffer to verify the DNS packet size before implementing such a change.

Leave a Reply

Your email address will not be published. Required fields are marked *