This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[Solved] Dropping packet: DNS packet of insuffient length: 25

Hi everyone

I've got an internal DNS server.

LAN Network 10.99.150.0/24
UTM LAN IP 10.99.150.1
DNS Server 1 10.99.150.100

Everything is working fine, but nearly every 5 seconds I've got a new log entry like this:

2016:11:03-09:19:52 vm ulogd[12400]:
id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="0"
srcip="10.99.150.1" dstip="10.99.150.100" proto="17"
length="45" tos="0x00" prec="0x00" ttl="64"
srcport="16987" dstport="53"
info="nf_ct_dns: dropping packet: DNS packet of insuffient length: 25

and in the live log a white/grey entry:

09:19:52 UDP 10.99.150.1:50072 --> 10.99.150.100:53 len=45 ttl=64 tos=0x00

Has someone ever seen that before? What am I missing?
Thank you for any responses.

Update

It looks like our Primary DNS is configured incorrectly. When i remove the Primary DNS Server then the message doesn't appear.

This thread was automatically locked due to age.

Parents

0 sachingurung over 8 years ago

Hi Mike,

Seems to me like you have DNS configured incorrectly OR the firewall is blocking DNS. What are the DNS forwarders configured in UTM, are they ISP assigned?

Thanks

Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 sachingurung over 8 years ago

Hi Mike,

Seems to me like you have DNS configured incorrectly OR the firewall is blocking DNS. What are the DNS forwarders configured in UTM, are they ISP assigned?

Thanks

Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Mike Keller over 8 years ago in reply to sachingurung

Hi Sachin,

No, the DNS forwarders on the UTM point to our internal DNS Servers 10.99.150.100 and 10.99.150.101

and I have a firewall rule for DNS:

10.99.0.0/16 ---- DNS (udp/53) ----> Any

Everything is working fine Internet , nslookup on the Clients (DNS1 10.99.150.100, DNS2 10.99.150.101) and on the UTM is working and it doesn't create a new entry when performing nslookup

Grey live log entry

09:19:52 UDP 10.99.150.1:50072 --> 10.99.150.100:53 len=45 ttl=64 tos=0x00

I've activated logging for the DNS firewall rule

11:46:29 UDP 10.99.150.100:56904 --> 212.23.3.100:53 len=129 ttl=127 tos=0x00 srcmac=xx:xx:xx:xx:xx:xx dstmac=00:1a:8c:51:7c:b5

The source and destionation MAC is missing in the grey entry but I don't know why.

Which event triggers a grey entry in the live log? (Red = drop, green = allow, grey = ?)

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
+1 Mike Keller over 8 years ago in reply to Mike Keller

Update

It looks like our Primary DNS is configured incorrectly. When i remove the Primary DNS Server then the message doesn't appear.

Thanks Sachin for your help
Cancel
Vote Up 0 Vote Down

Cancel
0 sachingurung over 8 years ago in reply to Mike Keller

Hi Mike,

You're Welcome. Keep posting.

Cheers

Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel