Solved

Deny inbound UDP  due to DNS Response

Posted on 2006-06-16
7
9,492 Views
Last Modified: 2011-09-29
Does anyone have an idea as to what the following message is:-
It appears in my CISCO fireall log several times a day!
2006-06-15 12:37:35      Local4.Critical      220.0.0.100      Jun 15 2006 11:37:35: %PIX-2-106007: Deny inbound UDP from 81.22.32.15/53 to 192.168.1.2/49127 due to DNS Response
where 192.168.1.2 is my modem connected to the internet!
I know the /53 is DNS - I have a Win 2003k set up for my network DNS
0
Comment
Question by:Mawallace
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 5

Expert Comment

by:renill
Comment Utility
Explanation:   This is a connection-related message. This message is logged if
a UDP packet containing a DNS query or response is denied. The flag variable
is either Response or Query.

Action: If the inside port number is 53, it is likely that the inside host is
set up as a caching nameserver. Add an access-list command statement to
permit traffic on UDP port 53. If the outside port number is 53, the most
likely cause is that a DNS server was too slow to respond, and the query was
answered by another server.

If your internal DNS server is supposed to answer to public requests, add the
access-list. I would strongly advise removing the conduits and only using
access-lists. As I understand, that is the only way to provide outbound
packet filtering.

access-list udp_bound deny protocol source mask dest mask eq port
access-group udp_bound in interface inside

renill

0
 

Author Comment

by:Mawallace
Comment Utility
The /53 is  outside.
Does this mean I need to open up the network so that all /53 requests are passed inbound? Seems a bit dangerous to let anyone connect to the network via port 53?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
First, Are you hosting internally a dns service that needs to be referenced by the Internet population? If no, then no you don't.

As a caveat to Renill's suggestions, if you do not already have an ACL associated with outbound traffic, be aware that once you apply an outbound acl you will need to specifically allow all of the outbound traffic you wish to permit.  ie no outbound acl means all outgoing is allowed (subject to there being a suitable nat/global configuration statement in place).  Apply an outbound acl then you need to tell it all of the allowed traffic, not just DNS  ie web, mail, ftp icmp etc.

I agree that the source port being from /53 sounds like it is a response that may well have timed out. If the original request had come from your internal network then the PIX (I assume its PIX) would still have an entry in its tables for that request going out so the response would be 'expected'.

You could temporarily raise the reporting level on your syslog to see if you get more detailed information but be aware that this will also put more load on your firewall.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Renill posted directly from Cisco's Error Message Decoder. I think the important part is this:
" If the outside port number is 53, the most likely cause is that a DNS server was too slow to respond, and the query was answered by another server."

>%PIX-2-106007: Deny inbound UDP from 81.22.32.15/53 to 192.168.1.2/49127
In your log entry, it is clearly the outside host with port# 53 and is most likely that this is a delayed response that has already been answered and the client no longer needs it. The PIX is smart enough to deny this packet because the client already has the answer. It is part of normal operation. You can disable this particular error message # in the syslog setup.

Q: Does your internal DNS server use specified forwarders, or root hints only for unknown zones?

0
 

Author Comment

by:Mawallace
Comment Utility
My DNS server uses root hints, not a specified forwarder
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
Comment Utility
I suggest just supressing this particular message and getting on with life.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
lol @ LR
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now