Firewall Wizards mailing list archives
Re: Help
From: "Utz, Ralph" <rutz () realtime-it com>
Date: Wed, 15 Nov 2006 08:26:30 -0600
I haven't run your test, but I have delt with this problem on a consulting basis in the past. Here's some info: PIX 6.3.5 and below block any DNS packet larger than 512 by default. When EDNS forces a packet larger than 512 the firewall will drop the packet. In Windows installations I've seen this cause the DNS service to hang and stop responding to requests. The PIX can be configured to allow larger DNS packets. -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Dave Piscitello Sent: Wednesday, November 15, 2006 6:26 AM To: Firewall Wizards Security Mailing List Subject: [fw-wiz] Help Can I ask some of you who live behind commercial firewalls to do the following DNS dig for a small study I would like to conduct? dig hk ns +bufsize=4096 @203.119.2.18 > <file> If you could tell me the OS you used to dig, the firewall between your resolver and the name server and if you know, the firewall SW version, you'd really make my day. BTW, if you don't get an answer, that is a very useful data point. I am trying to gather some anecdotal evidence regarding how firewalls deal with EDNS0 responses (esp. DNS messages > 512) and AAAA records. I have results for Netscreen (ScreenOS V5.30r3, 4.0.3r4.0) Sonicwall (SonicOS Standard 3.1.0.7-77s) Cisco PIX version 7.2.1 Cisco C2600 IOS 12.2(37) Watchguard FBX1000 (Fireware v8.2) I could really use some data from current and previous versions of Checkpoint, Symantec, Sidewinder, Fortinet to help fill out the "market share tested" pie chart. The information in this email and in any attachments is confidential and may be privileged. If you are not the intended recipient, please destroy this message, delete any copies held on your systems and notify the sender immediately. You should not retain, copy, or use this email for any purpose, and any review or other use of this information by persons or entities other than the intended recipient or any retransmission without the written consent of the sender is expressly prohibited. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- bypassing PIX limitation Paolo Supino (Nov 09)
- <Possible follow-ups>
- Re: bypassing PIX limitation Horvath, Kevin M. (Nov 09)
- Re: bypassing PIX limitation Paolo Supino (Nov 09)
- Re: bypassing PIX limitation Josh (Nov 09)
- Re: bypassing PIX limitation Paolo Supino (Nov 09)
- Re: bypassing PIX limitation David Swafford (Nov 09)
- Re: bypassing PIX limitation Paolo Supino (Nov 11)
- Re: bypassing PIX limitation Marcus J. Ranum (Nov 11)
- Re: bypassing PIX limitation Chris Blask (Nov 11)
- Help Dave Piscitello (Nov 15)
- Re: Help Utz, Ralph (Nov 15)
- Re: Help Aaron Smith (Nov 15)
- Re: bypassing PIX limitation Paolo Supino (Nov 11)
- Re: bypassing PIX limitation Paolo Supino (Nov 11)