I started to inform how Cisco ASA, Cisco PIX and Cisco FWSM firewall appliance secure their domain from DNS traffic. What is possible, what can I transport over DNS without increased drop probability. I question myself what DNS flags can be touched without any flaw.
I must admit that I'm no Cisco expert - not at all. If I look at the configuration possibilities I have to say "wow":
class-map inspection_default match default-inspection-traffic policy-map type inspect dns preset_dns_map parameters dns-guard id-randomization message-length maximum 512 id-mismatch count 10 duration 2 action log exit match header-flag RD drop policy-map global_policy class inspection_default inspect dns preset_dns_map service-policy global_policy global
What administrator knows DNS at this level? I mean that are no default values (I think so), that are the recommendation of the official Cisco webpage. Let me pick the message-length option: this means that no DNS request/reply larger as 512 byte can be received! Today in a world of EDNS0, DNSSEC and several AAAA answers in one packet this limit can trigger erroneous function. Especially because the "configuration error" will show up rarely.