RE: PIX 6.33 & DNS fixup

["Smith Bruce" <BruceS () petech ac za>]

Hi

We're running 6.3.3 and had around 22000 connections hanging there. We
remove the fixup protocol dns line and within a few hours the
connections had dropped to 330 or so without any DNS conns hanging
around. This definitely seems to have an effect.

My opinion is that the "fixup protocol dns maximum-length 512" should
only be in there if there are win2k3 servers acting as DNS servers
inside.

Bruce Smith
Firewall Admin


-----Original Message-----
From: Luca Berra [mailto:bluca () comedia it] 
Sent: Tuesday, September 30, 2003 10:50 PM
To: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] PIX 6.33 & DNS fixup


On Mon, Sep 29, 2003 at 03:14:05PM +0200, Strydom, Willie wrote:
> Hi All,
>
> I see the PIX 6.33 has a DNS fixup, my conn count has gone through the 
> roof! mostly DNS traffic... Wonder if there is a connection...

actually pix 6.3(3) has a *configurable* dns fixup, previous version
fixup was hardcoded and broke edns, win2k3 uses edns by default so the
option was added to change it.

> I'm thinking that the "fixup protocol dns maximum-length 512" maybe 
> leaves the conn open for longer, so naturally there will be more conns.
512 was the previous default.

> Can anyone agree/disagree/explain?
i did not have a chance to test, but it seems you are not alone with
this problem. have you tried disabling fixup for dns?

regards,
L.

-- 
Luca Berra -- bluca () comedia it
        Communication Media & Services S.r.l.
 /"\
 \ /     ASCII RIBBON CAMPAIGN
  X        AGAINST HTML MAIL
 / \
_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards