Firewall Wizards mailing list archives
Re: Win 2003 and PIXen
From: Tony Rall <trall () almaden ibm com>
Date: Sat, 10 May 2003 16:37:12 -0600
On Saturday, 2003-05-10 at 08:08 AST, Brian Ford <brford () cisco com> wrote:
This should not be an issue with PIX OS v6.3. This is why we added the capability to disable or modify the DNS Guard feature in PIX OS v6.3. We recently noted more implementations of BIND using DNSSec features
(i.e.
allowing the DNS extended attribute bit to be set and accepting
responses
larger than 512 bytes). DNS Guard in the PIX makes sure that for every DNS request that
traverses
the Firewall only one response is allowed in return. We also check to
make
sure that the response is less than a (now variable) size. That
response
used to be limited to 512 bytes. In PIX OS v6.3 you can disable the DNS Guard or modify the size of
allowed
DNS response (up to the 1500 byte Ethernet packet size).
Sounds great, but I don't see any mention of that in the 6.3 Release Notes, nor in any Cmd Ref or Guide. Would you point us to documentation of this? http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/fixup.pdf seems to be saying that dns fixup is still not configurable. Tony Rall _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Win 2003 and PIXen Brian Ford (May 10)
- Re: Win 2003 and PIXen Tony Rall (May 11)
- <Possible follow-ups>
- Re: Win 2003 and PIXen Dario Calia (May 13)