Symptom
Starting on release 9.10, ASA DNS inspection engine will received non-DNS traffic, when this inspection engine is called under class map "class-default".
For instance:
policy-map global_policy
class class-default
inspect dns
Prior to release 9.10, only DNS UDP/53 traffic was redirect to such engine
Upon receiving non-DNS traffic, those are dropped by the DNS inspection engine with either "inspect-dns-invalid-domain-label" or "inspect-dns-invalid-pak" reason
Conditions
> ASA running code 9.10 or higher
> ASA configured with "inspect dns" under "class class-default" in policy-map "global_policy".
Workaround
Refrain from using the "class class-default" in combination with "inspect dns" option, and instead use the "class inspection_default" or any custom class that sends only DNS related traffic to the inspection engine in question.
