Preview Tool

Cisco Bug: CSCta36873 - BTF: DNS query response with EDNS0 option does not get added to DNSRC

Last Modified

Apr 04, 2017

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases


Description (partial)

When DNS snooping is enabled with the Botnet Traffic Filter feature, it is supposed to watch for DNS 
query response packets that come through the ASA, and add it to the DNS Reverse Cache 
(DNSRC). An issue was found in which if the DNS query response packet has additional Resource 
Record (RR) with EDNS0 option used, the ASA would pass the DNS query response packet 
through BUT does not add it to the DNSRC. This mechanism would cause the Botnet Traffic Filter 
not being able to flag the malicious traffic for the domain names that is in the A record response.

When this issue is seen, a 'debug dynamic-filter dns-snooping' would print "rr off 

DNS snooping is enabled.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.