Firewall Wizards mailing list archives
Re: Win 2003 and PiX
From: Luca Berra <bluca () comedia it>
Date: Sat, 10 May 2003 11:14:03 +0200
On Fri, May 09, 2003 at 12:47:56PM -0400, Iannaccone, Al wrote:
After much investigation as to why it "suddenly" stopped working, we determined that Win 2003 requests everything but the kitchen cupboard in its DNS requests, apparently using RFC 2671 to specify the ability to accept >512 byte UDP replies.
seems that pix does not grok EDNS and i do not think you can remove this. from: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727aa.html By design, the PIX Firewall drops DNS packets sent to UDP port 53 (usually used for DNS) that have a packet size larger than 512 bytes. solution is to disable EDNS on win2k3 or to bug cisco for a fix. see attached response from a MS guy RANT1: when will firerewall vendors stop hardcoding arbitrary constraint in their products? <referring to the free firewall thread> with an open source firewall (not necessarily free) thees problem don't happen, and if they should they can be fixed with vi. !!!!!!!!!!!!!!! rgrds, L. -- Luca Berra -- bluca () comedia it Communication Media & Services S.r.l. /"\ \ / ASCII RIBBON CAMPAIGN X AGAINST HTML MAIL / \
--- Begin Message --- From: Jeff Westhead <jwesth () WINDOWS MICROSOFT COM>
Date: Thu, 8 May 2003 11:29:05 -0700
Your W2K3 DNS server and the remote DNS server have agreed to exchange UDP packets > 512 bytes, but obviously your router is not capable of handling this. You can disable EDNS-0 in your W2K3 DNS server by running this command: dnscmd /Config /EnableEDnsProbes 0 Once you run this your W2K3 DNS server will never advertise its EDNS capabilities and so will never receive a UDP packet > 512 bytes. dnscmd.exe can be found in the Support Tools. You can find more information on our support of EDNS here: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/ standard/sag_DNS_imp_EDNSsupport.asp and here: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/ standard/sag_DNS_pro_ModifyEDNS.asp?frame=true ---------- Forwarded message ---------- Date: Thu, 8 May 2003 08:59:01 -0500 From: "Loucks, Jason" <loucks () COMMPROD COM> Reply-To: Windows NTBugtraq Mailing List oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Have you discovered a security vulnerability related to Windows or a commercial product which runs on Windows? Need assistance crafting the format or translating your advisory to English? Need to verify it, or having problems contacting the Vendor? Contact mailto:Advisories () NTBugtraq com oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
--- End Message ---
Current thread:
- Win 2003 and PiX Iannaccone, Al (May 09)
- Re: Win 2003 and PiX Carson Gaspar (May 09)
- Re: Win 2003 and PiX Mikael Olsson (May 09)
- Re: Win 2003 and PiX Tony Rall (May 09)
- Re: Win 2003 and PiX Luca Berra (May 10)
- Re: Win 2003 and PiX Paul Robertson (May 10)
- Re: Win 2003 and PiX Luca Berra (May 11)
- Re: Win 2003 and PiX Paul Robertson (May 10)