Hi,
Recently we tried to implement the Cisco Umbrella (OpenDNS) virtual appliances, and one of the requirements is to use DNSCrypt. They have a guide that shows you how to disable DNS packet inspection for the VA's specifically and inspect everything else.
We followed their guide on their website, but now our remote offices that need to connect to the DNS servers behind this ASA is getting time outs. The OpenDNS says that DNSCrypt is still working fine however, but nothing else which uses normal DNS is.
We followed this guide:
https://support.umbrella.com/hc/en-us/articles/230562207-Cisco-ASA-Firewall-blocks-DNSCrypt
So to get normal DNS to work, we kept everything but removed the following:
access-list dns_inspect extended permit udp any any eq domain
access-list dns_inspect extended permit tcp any any eq domain
We're trying to understand how removing those two lines makes any difference security wise, or how removing them fixed it.
Thanks.
Edit:
We added
access-list dns_inspect extended permit udp any any eq domain
again and its working still, but breaks when we add the same rule but with TCP. any ideas why?
No comments:
Post a Comment