Firewall Wizards mailing list archives

Re: Win 2003 and PIXen

From: Brian Ford <brford () cisco com>
Date: Sat, 10 May 2003 08:08:47 -0400

Al,

This should not be an issue with PIX OS v6.3. This is why we added thecapability to disable or modify the DNS Guard feature in PIX OS v6.3.

We recently noted more implementations of BIND using DNSSec features (i.e.allowing the DNS extended attribute bit to be set and accepting responseslarger than 512 bytes).

DNS Guard in the PIX makes sure that for every DNS request that traversesthe Firewall only one response is allowed in return. We also check to makesure that the response is less than a (now variable) size. That responseused to be limited to 512 bytes.

In PIX OS v6.3 you can disable the DNS Guard or modify the size of allowedDNS response (up to the 1500 byte Ethernet packet size).


Liberty for All,

Brian

At 09:21 PM 5/9/2003 -0400, "Iannaccone, Al" wrote:

From: "Iannaccone, Al" <Al.Iannaccone () occ treas gov>
To: firewall-wizards () honor icsalabs com
Date: Fri, 9 May 2003 12:47:56 -0400
Subject: [fw-wiz] Win 2003 and PiX

Hello;

This is something I found on Bugtraq... has anyone else seen this? Thanks.
This is another sysadmin discussing...

----====SNIP====----

We recently upgraded our DNS servers to Win 2003.  After this time, it
became apparent that we are unable to send email to some domains which
had been working fine before.

After much investigation as to why it "suddenly" stopped working, we
determined that Win 2003 requests everything but the kitchen cupboard in
its DNS requests,  apparently using RFC 2671 to specify the ability to
accept >512 byte UDP replies.

We are running the latest version (6.3.1) on our Cisco PIX and it
appears that there is hard limit of 512 bytes on ANY UDP packets
arriving on port 53.  Everything exceeding that is dropped.

Has anyone else seen this problem?

----====SNIP====----

Disclaimer: Don't take anything here as advice.

Al



Brian Ford
Consulting Engineer
Corporate Consulting Engineering, Office of the Chief Technology Officer
Cisco Systems, Inc.
http://www.cisco.com
e-mail: brford () cisco com


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Win 2003 and PIXen Brian Ford (May 10)
- Re: Win 2003 and PIXen Tony Rall (May 11)
- <Possible follow-ups>
- Re: Win 2003 and PIXen Dario Calia (May 13)