ASA/PIX Dropped UDP DNS packet length exceeds configured limit of 512 bytes
當在ASA/PIX防火牆內架設DNS Server時,可能會碰到要查詢DomainName時無法查詢,查看防火牆Log發現如下訊息:Dropped UDP DNS reply from outside:111.111.111.111/53 to inside:xxx.xxx.xxx.xxx/xxxx; packet length 738 bytes exceeds configured limit of 512 bytes
解決方式:
利用以下指令增加DNS protocol packet length,以避免回傳值過多(一個domain name對應很多IP時就有可能會發生)時,被防火牆擋掉之問題。
fixup protocol dns maximum-length 768
Reference:
http://www.experts-exchange.com/Networking/Misc/Q_21257569.html
http://www.ccie1.com/?p=201
頁:
[1]