Fatemeh, In your v4.4 PIX the DNS Guard is on. DNS Guard matches DNS responses to DNS requests and only allows the first DNS request back in. All additional response are dropped and logged (hence your message). You can't turn DNS Guard off.
Liberty for All, Brian At 11:43 AM 11/26/2001 -0800, Fatemeh Taj <[EMAIL PROTECTED]> wrote: >Message: 1 >Date: Sun, 25 Nov 2001 23:40:17 -0800 (PST) >From: Fatemeh Taj <[EMAIL PROTECTED]> >Subject: UDP Denies on PIX >To: [EMAIL PROTECTED] > >Dear All, >I have a PIX 4.4 (I would upgrade it:) ) and I see a >lot of UDP denies due to DNS response : > >%PIX-2-106007: Deny inbound UDP from Outside/53 to >MYDNS/1097 due to DNS Response > >I have a rule (conduit permit udp host 195.96.144.12 >any eq 53 ) to permit such conections, but it seems >there is another reason for these denies. As PIX >document says it is because of udp timeout. But I >think it is a little strange, sometimes this >Outside/53 is my external DNS, and I think a 2 minute >UDP timeout, is a very open limit for such udp >connection. >Also, To trace the problem I wanted to check duration >of different connection. With documents explanation >%PIX-6-302006 should contain UDP duration too, but I >have not this field in my %PIX-6-302006 records :( > >Any comment ? >Regards >F. Taj > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
