Why is Cisco ASA Firewall blocking DNScyrpt functionality from the Umbrella Virtual Appliance?

Issue

The Cisco ASA Firewall may block the DNScrypt functionality offered by the Umbrella Virtual Appliance.  This results in the following Umbrella Dashboard warning:

These error messages can also be seen in the ASA firewall logs:

Dropped UDP DNS request from inside:192.168.1.1/53904 to outside-fiber:208.67.220.220/53; label length 71 bytes exceeds protocol limit of 63 bytes

DNSCrypt encryption is designed to protect the contents of your DNS queries and as such will also stop firewalls from performing packet inspection.

Cause

These errors should not cause any user facing impact with DNS resolution. 

The Virtual Appliance sends test queries to determine the availability of DNScrypt and it's those test queries that are blocked. However, these error messages do indicate that the Virtual Appliance is not adding additional security by encrypting your company's DNS traffic.

Resolution

We recommend disabling DNS packet inspection for traffic between the Virtual Appliance and Umbrella's DNS resolvers. Although this disables the logging and protocol inspection on the ASA, it enhances security by allowing DNS encryption.

 

Please note that the below commands are provided for guidance only and it is recommended that a Cisco expert be consulted prior to making any changes to a production environment.

Please also be aware the following defect on ASA might affect DNS over TCP, which can also cause problems with DNSCrypt: 
CSCsm90809 DNS inspection support for DNS over TCP

 

Packet Inspection Exceptions – IOS Commands

1. Create a new ACL called 'dns_inspect' with rules to deny traffic to 208.67.222.222 and 208.67.220.220. 

   access-list dns_inspect extended deny udp host <Appliance IP> host 208.67.220.220 eq domain
   access-list dns_inspect extended deny tcp host <Appliance IP> host 208.67.220.220 eq domain
   access-list dns_inspect extended deny udp host <Appliance IP> host 208.67.222.222 eq domain
   access-list dns_inspect extended deny tcp host <Appliance IP> host 208.67.222.222 eq domain
   access-list dns_inspect extended permit udp any any eq domain
   access-list dns_inspect extended permit tcp any any eq domain
   
   
   For VA 2.2.0, please also add our 3rd and 4th resolver IPs which are also enabled for encryption. This will not be needed for 2.2.1+
   access-list dns_inspect extended deny udp host <Appliance IP> host 208.67.220.222 eq domain
   access-list dns_inspect extended deny tcp host <Appliance IP> host 208.67.220.222 eq domain
   access-list dns_inspect extended deny udp host <Appliance IP> host 208.67.222.220 eq domain
   access-list dns_inspect extended deny tcp host <Appliance IP> host 208.67.222.220 eq domain

2. Remove the current DNS inspection policy on the ASA.  For example:

   ciscoasa(config)# policy-map global_policy
   ciscoasa(config-pmap)#  class inspection_default
   ciscoasa(config-pmap-c)# no inspect dns

3. Create a class-map matching the ACL created in Step #1:

   class-map dns_inspect_cmap 
    match access-list dns_inspect

4.  Configure a policy-map under the global_policy. This should match the class-map created in Step #3. Enable DNS inspection.

   policy-map global_policy 
    class dns_inspect_cmap
     inspect dns

5. Once enabled you can verify that traffic is hitting the exclusions by running:

   sh access-list dns_inspect

Packet Inspection Exceptions – ASDM Interface

1. First disable any DNS packet inspection if applicable. This is done in "Configuration > Firewall > Service Policy Rules":
   
   
   
2. In the example above the DNS inspection is enabled under the Global Policy and 'inspection_default' class. Highlight it and click on "Edit". On the new window uncheck the box for 'DNS' under the "Rule Action" tab:
   
   
   
   
3. Now you can re-configure the DNS inspection, this time with additional traffic exemptions. Click on "Add > Add Service Policy Rule...":
   
   
   
4. Select "Global - Applies to all interfaces" and click on "Next"  (you can also apply this to a specific Interface if you wish):
   
   
5. Give a name to the class-map (for example 'dns-cmap') and check the option "Source and Destination IP Address (uses ACL)". Click "Next":
6. Start by configuring the traffic that you don't want to be inspected by using the "Do not match" action.
   For Source, you can use the option 'any' to exempt all traffic destined to Umbrella's DNS servers. Alternatively, you can create a Network Object definition here to only exempt the specific Virtual Appliance IP address.
   
7. Click '...' on the Destination field. On next window, click on "Add > Network Object" and create an object with the IP Address of '208.67.222.222'. Repeat this step to create an object with IP Address of '208.67.220.220'.
   
   
   
   
8. Add both Umbrella network objects to the Destination field and click OK:
   
   
9. On the next window check the box for 'DNS' and click on "Finish":
   
   
10. The ASA will now show the new Global-Policy for 'dns-cmap' as below. Now you need to configure the remaining traffic that will be inspected by the ASA. This is done by right clicking on 'dns-cmap' and selecting the option "Insert After..." which will create a new rule.
    
    
11. On first window click on "Next" and on then check the "Add rule to existing traffic class:" radio button.  Select 'dns-cmap' from the drop-down and then click Next:
    
    
12. Leave the Action as 'Match'. Choose the Source, Destination and Service of traffic that will be subject to DNS inspection. Here, for example, we are matching traffic from any client going to any TCP or UDP DNS Server. Click Next:
13. Leave the 'DNS' option checked and click on "Finish".
14. Click on "Apply" at the bottom of the window:
    
    
    

Further Information

If you would prefer to disable DNScrypt rather than configuring ASA exemptions, please contact Umbrella support.