Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jai_Kishore
New Contributor

DNS Packet size

Dear all, I have two cisco ASA firewalls in my internal network in cluster mode which is configuard with DNS packet size of 512 bytes. I am getting thousends of requests of larger size of DNS packets, Where my ASA firewall is droping and Iam getting log for every drop and my log server is filling up with these messages. I have Fortigate firewall 620B in cluster mode (with IPS,AVand application controll is enabled) at external side of my network where I have configured all the policyes.Now I want to stop the larger size of DNS packets at my external firewall side. So I won' t get these packers to my internal firewall.Is there any way to do this in fortigate firewall. Regards, Jai Kishore FCNSA
4 REPLIES 4
seadave
Contributor III

I assume you are running an active directory network? You might want to check into the EDNS0 issue. http://support.microsoft.com/kb/832223
Jai_Kishore
New Contributor

Dear dfollis, Thanks for your replay. I am using Linux server for DNS.
Jai_Kishore
New Contributor

Dear Guys, Any suggetions plz.
ede_pfau
SuperUser
SuperUser

Two thoughts: 1 - apply Application Control to the WAN interface and select a category with DNS. I haven' t checked that (as we have holidays here) but it might be available 2 - construct an IPS custom signature for oversized packets and apply to a DNS only policy Details for hand crafting IPS signatures might be included in the KB or the FortiOS Handbook.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors