Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Win 2003 and PIXen

From: Dario Calia <dcalia () cisco com>
Date: Mon, 12 May 2003 20:31:39 -0700
Hello Tony and others,

You will need to open a case with the Cisco Technical Assistance Center and
request the latest PIX OS v6.3 build.  Builds starting with PIX 6.3(1)100 have included
support for EDNS0.  The DNS Guard/fixup has been made configurable and you
have the option of still specifying bounds checking.  That is, a new cli has
been introduces as follows

  fixup protocol dns maximum-length <length>


Depding on your specific needs you can simply disable the DNS Guard feature
using

  no fixup protocol dns


or enable it w/out any total payload bounds checking 

  fixup protocol dns


or enable it w/ total payload length  checking

  fixup protocol dns maximum-length <length>


The enhancement DDTS of interest is CSCea25589 (EDNS0 Support on PIX).
The DDTS release note currently provides the documentation.  The online docs
will be updated to address the new support closer to the next maintenance
release cycle.

Thanks, Dario

At 04:37 PM 5/10/2003 -0600, Tony Rall wrote:

On Saturday, 2003-05-10 at 08:08 AST, Brian Ford <brford () cisco com> wrote:

This should not be an issue with PIX OS v6.3.  This is why we added the
capability to disable or modify the DNS Guard feature in PIX OS v6.3.

We recently noted more implementations of BIND using DNSSec features 

(i.e.

allowing the DNS extended attribute bit to be set and accepting 

responses

larger than 512 bytes).

DNS Guard in the PIX makes sure that for every DNS request that 

traverses

the Firewall only one response is allowed in return.  We also check to 

make

sure that the response is less than a (now variable) size.  That 

response

used to be limited to 512 bytes.

In PIX OS v6.3 you can disable the DNS Guard or modify the size of 

allowed

DNS response (up to the 1500 byte Ethernet packet size).


Sounds great, but I don't see any mention of that in the 6.3 Release 
Notes, nor in any Cmd Ref or Guide.  Would you point us to documentation 
of this?

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/fixup.pdf 
seems to be saying that dns fixup is still not configurable.

Tony Rall
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards 


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: