Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 5905 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[Solved] Dropping packet: DNS packet of insuffient length: 25

Mike Keller

Hi everyone

I've got an internal DNS server.  

LAN Network 10.99.150.0/24
UTM LAN IP 10.99.150.1
DNS Server 1 10.99.150.100

Everything is working fine, but nearly every 5 seconds I've got a new log entry like this:

2016:11:03-09:19:52 vm ulogd[12400]:
id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="0"
srcip="10.99.150.1" dstip="10.99.150.100" proto="17"
length="45" tos="0x00" prec="0x00" ttl="64"
srcport="16987" dstport="53"
info="nf_ct_dns: dropping packet: DNS packet of insuffient length: 25

and in the live log a white/grey entry:

09:19:52 UDP 10.99.150.1:50072 --> 10.99.150.100:53 len=45 ttl=64 tos=0x00

Has someone ever seen that before? What am I missing?
Thank you for any responses.

Update

It looks like our Primary DNS is configured incorrectly. When i remove the Primary DNS Server then the message doesn't appear.



This thread was automatically locked due to age.
  • 0

    Hi Mike,

    Seems to me like you have DNS configured incorrectly OR the firewall is blocking DNS. What are the DNS forwarders configured in UTM, are they ISP assigned?

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi Sachin,

    No, the DNS forwarders on the UTM point to our internal DNS Servers 10.99.150.100 and 10.99.150.101

    and I have a firewall rule for DNS:

    10.99.0.0/16 ---- DNS (udp/53) ----> Any

    Everything is working fine Internet , nslookup on the Clients (DNS1 10.99.150.100, DNS2 10.99.150.101) and on the UTM is working and it doesn't create a new entry when performing nslookup

    Grey live log entry

    09:19:52 UDP 10.99.150.1:50072 --> 10.99.150.100:53 len=45 ttl=64 tos=0x00 

    I've activated logging for the DNS firewall rule

    11:46:29 UDP 10.99.150.100:56904 --> 212.23.3.100:53 len=129 ttl=127 tos=0x00 srcmac=xx:xx:xx:xx:xx:xx dstmac=00:1a:8c:51:7c:b5

    The source and destionation MAC is missing in the grey entry but I don't know why.

    Which event triggers a grey entry in the live log? (Red = drop, green = allow, grey = ?)

     

    Thanks

  • +1 in reply to Mike Keller

    Update

    It looks like our Primary DNS is configured incorrectly. When i remove the Primary DNS Server then the message doesn't appear.

    Thanks Sachin for your help

  • 0 in reply to Mike Keller

    Hi Mike,

    You're Welcome. Keep posting.

    Cheers

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Unfiltered HTML