Firewall Wizards mailing list archives

RE: PIX 6.33 & DNS fixup

From: "Marty Gerhards" <gerhards () cisco com>
Date: Fri, 3 Oct 2003 08:23:42 -0500

Willie, 

The DNS connection accumulation problem has been identified and fixed.
Please consult the Cisco TAC to obtain the 6.3.3.104 image.

Thanks,

Marty

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com 
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
Of Brian Ford
Sent: Tuesday, September 30, 2003 10:26 PM
To: Strydom, Willie
Cc: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] PIX 6.33 & DNS fixup

Willie,

The PIX command you mentioned (DNS fixup) has been around for some 
time.  What it does is make sure that only one DNS response 
per DNS request 
is able to get back through the Firewall.   In the past we 
referred to this 
as "DNS Guard" and it was always on.  In v6.3 we give you the 
capability of 
disabling this function by issuing the "no fixup dns" command.

The "maximum length" argument is important if your PIX is 
protecting client 
computers that are capable of generating EDNS0 requests.  If 
your client 
can use EDNS0 or extended DNS it can set the extended bit in the DNS 
request and specify that DNS responses can be longer than 512 
bytes.  If 
you have EDNS0 clients; or if you have a caching name server 
that is using 
EDNS0 then you would adjust the 512 to the packet size that 
your DNS is 
using (possibly as high as 1400).

Hope this helps.

Liberty for All,

Brian

At 12:03 PM 9/30/2003 -0400, 
firewall-wizards-request () honor icsalabs com wrote:

From: "Strydom, Willie" <WStrydom () fnb co za>
To: firewall-wizards () honor icsalabs com
Date: Mon, 29 Sep 2003 15:14:05 +0200
Subject: [fw-wiz] PIX 6.33 & DNS fixup

Hi All,

I see the PIX 6.33 has a DNS fixup, my conn count has gone

through the

roof! mostly DNS traffic... Wonder if there is a connection...

I'm thinking that the "fixup protocol dns maximum-length 512" maybe 
leaves the conn open for longer, so naturally there will be

more conns.


Can anyone agree/disagree/explain?





Willie Strydom

Network Engineer (Security)
CCNA, CCSP, INFOSEC Professional
(Cisco Number csco10315544)
First National Bank
+27 11 889 5543

"Sure, I love children,
but I could never eat a whole one."


_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: PIX 6.33 & DNS fixup Smith Bruce (Oct 02)
- <Possible follow-ups>
- Re: PIX 6.33 & DNS fixup Brian Ford (Oct 03)
  - RE: PIX 6.33 & DNS fixup Marty Gerhards (Oct 05)