Re: PIX 6.33 & DNS fixup

[Brian Ford <brford () cisco com>]

Willie,

The PIX command you mentioned (DNS fixup) has been around for some 
time.  What it does is make sure that only one DNS response per DNS request 
is able to get back through the Firewall.   In the past we referred to this 
as "DNS Guard" and it was always on.  In v6.3 we give you the capability of 
disabling this function by issuing the "no fixup dns" command.

The "maximum length" argument is important if your PIX is protecting client 
computers that are capable of generating EDNS0 requests.  If your client 
can use EDNS0 or extended DNS it can set the extended bit in the DNS 
request and specify that DNS responses can be longer than 512 bytes.  If 
you have EDNS0 clients; or if you have a caching name server that is using 
EDNS0 then you would adjust the 512 to the packet size that your DNS is 
using (possibly as high as 1400).

Hope this helps.

Liberty for All,

Brian

At 12:03 PM 9/30/2003 -0400, firewall-wizards-request () honor icsalabs com wrote:
> From: "Strydom, Willie" <WStrydom () fnb co za>
> To: firewall-wizards () honor icsalabs com
> Date: Mon, 29 Sep 2003 15:14:05 +0200
> Subject: [fw-wiz] PIX 6.33 & DNS fixup
>
> Hi All,
>
> I see the PIX 6.33 has a DNS fixup, my conn count has gone through the roof!
> mostly DNS traffic... Wonder if there is a connection...
>
> I'm thinking that the "fixup protocol dns maximum-length 512" maybe leaves
> the conn open for longer, so naturally there will be more conns.
>
> Can anyone agree/disagree/explain?
>
>
>
>
>
> Willie Strydom
>
> Network Engineer (Security)
> CCNA, CCSP, INFOSEC Professional
> (Cisco Number csco10315544)
> First National Bank
> +27 11 889 5543
>
> "Sure, I love children,
> but I could never eat a whole one."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards