Cisco Bug: CSCta36873 - BTF: DNS query response with EDNS0 option does not get added to DNSRC
Feb 28, 2018
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
<B>Symptom:</B> When DNS snooping is enabled with the Botnet Traffic Filter feature, it is supposed to watch for DNS query response packets that come through the ASA, and add it to the DNS Reverse Cache (DNSRC). An issue was found in which if the DNS query response packet has additional Resource Record (RR) with EDNS0 option used, the ASA would pass the DNS query response packet through BUT does not add it to the DNSRC. This mechanism would cause the Botnet Traffic Filter not being able to flag the malicious traffic for the domain names that is in the A record response. When this issue is seen, a 'debug dynamic-filter dns-snooping' would print "rr off end". <B>Conditions:</B> DNS snooping is enabled.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases