[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4112
  • Last Modified:

Cisco ASA dropping OpenDNS UDP traffic?

I am running an External DNS service - OpenDNS. It requires setting up a VM DNS server that forwards DNS queries to OpenDNS sitting outside the ASA on a public IP (208.67.222.222)

On the VM DNS server (192.168.2.4) , I constantly get DNS resolution failing. I've contacted OpenDNS support and they told me that they see my TCP connection to their server failing with Timeouts.

It looks the DNS Server is correctly forwarding out the queries and getting a respond.
Does the teardown duration of 0:00:00 look correct?

On my ASA logs:

Source IP      Source Port      Destination IP       Destination Port     Description
192.168.2.4    40067      202.127.70.160      40067                    Built dynamic UDP translation from inside: 192.168.2.4/40067 to outside 202.127.70.160/40067   
192.168.2.4    40067      208.67.222.222     53                     Built outbound UDP connection for outside:208.67.222.222/53 to inside:192.168.2.4/40067(202.127.70.160/40067)
208.67.222.222   53     192.168.2.4           40067                  Teardown UDP connection for outside:208.67.222.222/53 to inside:192.168.2.4/40067 duration 0:00:00 bytes 66

Open in new window

0
frukeus
Asked:
frukeus
  • 10
  • 8
  • 3
5 Solutions
 
asavenerCommented:
Yes, this appears normal.  The response took less than a second, and you received 66 bytes of information.

That's a normal DNS query.



What happens when you run nslookup against the 208.67.222.222 server?
0
 
frukeusAuthor Commented:
On my workstations, nslookup against 208.67.222.222 is perfectly fine.

Just the OpenDNS VM forwarding out queries is reported to be having problems.
How can I trace if my firewall is dropping any outgoing DNS traffic?
0
 
Ernie BeekCommented:
You have DNS inspection set up in the ASA?

A sanitized config would come in handy :)
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
asavenerCommented:
You mentioned TCP.  TCP is used for zone transfers, not for normal lookups.  Lookups use UDP.

What's going on with TCP?
0
 
frukeusAuthor Commented:
According to OpenDNS support, this was logged in their VM appliance, which resides inside my LAN.

Wed Aug 29 15:47:48 2012     TCP connection to 208.67.222.222 fails: Timeout
Wed Aug 29 15:48:48 2012     TCP connection to 208.67.220.220 fails: Timeout
Wed Aug 29 15:48:48 2012     TCP connection to 208.67.222.222 fails: Timeout
Wed Aug 29 15:49:48 2012     TCP connection to 208.67.222.222 fails: Timeout

According to them, not all connections are timing out, there are a few successes.
They are suspecting some form of throttling or IPS.



I have DNS inspection in ASA

policy-map type inspect dns preset_dns_map
 parameters
   message-length maximum 512
class inspection_default
   inspect dns preset_dns_map

class-map my-ip-class
  match access-list IPS

class my-ips-class
  ips promiscuous fail-open
  user-statistics accounting

access-list IPS extended permit ip any any
 match access-list IPS
0
 
Ernie BeekCommented:
Any access lists on the interfaces that might block that traffic?
You could also check the logging on the ASA to see if anything is dropped/denied.
0
 
frukeusAuthor Commented:
If there my access list is blocking, then it should theoretically drop all that traffic right? But some seems to be getting through...

I check  the logs on my ASA and filtered via the IP of the appliance. All I see are the DNS traffic mentioned in my original question. I don't see any other dropped/denied logs.
0
 
asavenerCommented:
What logging level is your device set at?

Try setting it to debug, and see if you get any additional messages.
0
 
frukeusAuthor Commented:
It is already set to debug...
0
 
asavenerCommented:
You can try the packet tracer and see if it identifies any issues.

You can also try the packet caputre feature, and analyze the traffic with Wireshark.
0
 
frukeusAuthor Commented:
I did already try packet tracer and it didn't show any problems. I've lodge a support call with OpenDNS and they are going to do a tcpdump on the VM. Will probably have an answer in a couple of days. Let's see how it goes before I close and award the points.
0
 
Ernie BeekCommented:
We'll be here :)
0
 
asavenerCommented:
According to OpenDNS support, this was logged in their VM appliance, which resides inside my LAN.

Wed Aug 29 15:47:48 2012     TCP connection to 208.67.222.222 fails: Timeout
Wed Aug 29 15:48:48 2012     TCP connection to 208.67.220.220 fails: Timeout
Wed Aug 29 15:48:48 2012     TCP connection to 208.67.222.222 fails: Timeout
Wed Aug 29 15:49:48 2012     TCP connection to 208.67.222.222 fails: Timeout



192.168.2.4    40067      208.67.222.222     53                     Built outbound UDP connection for outside:208.67.222.222/53 to inside:192.168.2.4/40067(202.127.70.160/40067)
208.67.222.222   53     192.168.2.4           40067                  Teardown UDP connection for outside:208.67.222.222/53 to inside:192.168.2.4/40067 duration 0:00:00 bytes 66

It's entirely possible that the ASA is blocking TCP connections, but allowing UDP connections.

I think you need to find out from OpenDNS what the device is trying to do via TCP.

If they're trying to perform a zone transfer, then you may need to modify the ASA configuration to allow it.

A DNS forward request, or a recursive lookup, would use UDP/53.


I suggest using the packet tracer again, using TCP/53 as the destination port.
0
 
frukeusAuthor Commented:
It's entirely possible that the ASA is blocking TCP connections, but allowing UDP connections.

I think you need to find out from OpenDNS what the device is trying to do via TCP.

If they're trying to perform a zone transfer, then you may need to modify the ASA configuration to allow it.

A DNS forward request, or a recursive lookup, would use UDP/53.

I suggest using the packet tracer again, using TCP/53 as the destination port.

I have checked both. Outgoing TCP and UDP/53 are all allowed.
In fact, all outgoing traffic initiated from the LAN is not blocked.
0
 
asavenerCommented:
But TCP/53 might be inspected and discarded.
0
 
frukeusAuthor Commented:
So how do I check that? I need something outside my firewall capturing traffic to verify?
0
 
asavenerCommented:
I'm still suggesting that you run the packet tracer again, using TCP/53.
0
 
frukeusAuthor Commented:
I'm still suggesting that you run the packet tracer again, using TCP/53.
I wasn't clear in my answer but I have ran both TCP/53 and UDP/53 on the packet tracer
0
 
frukeusAuthor Commented:
Thu Sep  6 15:21:41 2012 OpenDNS Servers: All DNS fail => All DNS ok
Thu Sep  6 15:21:41 2012     UDP traffic to 208.67.220.220 succeeds: 67.215.65.132
Thu Sep  6 15:21:41 2012     TCP connection to 208.67.220.220 succeeds
Thu Sep  6 15:21:41 2012     UDP traffic to 208.67.222.222 succeeds: 67.215.65.132
Thu Sep  6 15:21:41 2012     TCP connection to 208.67.222.222 succeeds
Thu Sep  6 15:22:42 2012 OpenDNS Servers: All DNS ok => Not all DNS ok
Thu Sep  6 15:22:42 2012     UDP traffic to 208.67.220.220 succeeds: 67.215.65.132
Thu Sep  6 15:22:42 2012     TCP connection to 208.67.220.220 fails: Timeout
Thu Sep  6 15:22:42 2012     UDP traffic to 208.67.222.222 succeeds: 67.215.65.132
Thu Sep  6 15:22:42 2012     TCP connection to 208.67.222.222 succeeds
Thu Sep  6 15:23:41 2012 OpenDNS Servers: Not all DNS ok => All DNS ok
Thu Sep  6 15:23:41 2012     UDP traffic to 208.67.220.220 succeeds: 67.215.65.132
Thu Sep  6 15:23:41 2012     TCP connection to 208.67.220.220 succeeds
Thu Sep  6 15:23:41 2012     UDP traffic to 208.67.222.222 succeeds: 67.215.65.132
Thu Sep  6 15:23:41 2012     TCP connection to 208.67.222.222 succeeds
Thu Sep  6 15:24:42 2012 OpenDNS Servers: All DNS ok => All DNS fail
Thu Sep  6 15:24:42 2012     UDP traffic to 208.67.220.220 succeeds: 67.215.65.132
Thu Sep  6 15:24:42 2012     TCP connection to 208.67.220.220 fails: Timeout
Thu Sep  6 15:24:42 2012     UDP traffic to 208.67.222.222 succeeds: 67.215.65.132
Thu Sep  6 15:24:42 2012     TCP connection to 208.67.222.222 fails: Timeout

Open in new window


I was provided their tcpdumps...it is weird that TCP sometimes timeout.
But UDP always seems to succeed.
But TCP does goes through at time.
0
 
asavenerCommented:
You might try adjusting the maximum segment size.

sysopt connection tcpmss 1300

Or even smaller....
0
 
frukeusAuthor Commented:
It turns out that to be a problem with the OpenDNS virtual appliance.
After I created another instance with double the memory and processor, the TCP timeout stopped.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 10
  • 8
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now