Firewall Wizards mailing list archives
Re: Win 2003 and PIXen
From: Dario Calia <dcalia () cisco com>
Date: Mon, 12 May 2003 20:31:39 -0700
Hello Tony and others, You will need to open a case with the Cisco Technical Assistance Center and request the latest PIX OS v6.3 build. Builds starting with PIX 6.3(1)100 have included support for EDNS0. The DNS Guard/fixup has been made configurable and you have the option of still specifying bounds checking. That is, a new cli has been introduces as follows fixup protocol dns maximum-length <length> Depding on your specific needs you can simply disable the DNS Guard feature using no fixup protocol dns or enable it w/out any total payload bounds checking fixup protocol dns or enable it w/ total payload length checking fixup protocol dns maximum-length <length> The enhancement DDTS of interest is CSCea25589 (EDNS0 Support on PIX). The DDTS release note currently provides the documentation. The online docs will be updated to address the new support closer to the next maintenance release cycle. Thanks, Dario At 04:37 PM 5/10/2003 -0600, Tony Rall wrote:
On Saturday, 2003-05-10 at 08:08 AST, Brian Ford <brford () cisco com> wrote:This should not be an issue with PIX OS v6.3. This is why we added the capability to disable or modify the DNS Guard feature in PIX OS v6.3. We recently noted more implementations of BIND using DNSSec features(i.e.allowing the DNS extended attribute bit to be set and acceptingresponseslarger than 512 bytes). DNS Guard in the PIX makes sure that for every DNS request thattraversesthe Firewall only one response is allowed in return. We also check tomakesure that the response is less than a (now variable) size. Thatresponseused to be limited to 512 bytes. In PIX OS v6.3 you can disable the DNS Guard or modify the size ofallowedDNS response (up to the 1500 byte Ethernet packet size).Sounds great, but I don't see any mention of that in the 6.3 Release Notes, nor in any Cmd Ref or Guide. Would you point us to documentation of this? http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/fixup.pdf seems to be saying that dns fixup is still not configurable. Tony Rall _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Win 2003 and PIXen Brian Ford (May 10)
- Re: Win 2003 and PIXen Tony Rall (May 11)
- <Possible follow-ups>
- Re: Win 2003 and PIXen Dario Calia (May 13)