Firewall Wizards mailing list archives

Re: Help

From: Aaron Smith <smitha () byui edu>
Date: Wed, 15 Nov 2006 09:27:17 -0700

On Wed, 2006-11-15 at 08:26 -0600, Utz, Ralph wrote:

I haven't run your test, but I have delt with this problem on a
consulting basis in the past.  Here's some info: PIX 6.3.5 and below
block any DNS packet larger than 512 by default.  When EDNS forces a
packet larger than 512 the firewall will drop the packet.  In Windows
installations I've seen this cause the DNS service to hang and stop
responding to requests.  The PIX can be configured to allow larger DNS
packets.


And, conversely, Windows EDNS0 can be disabled, as we did in our
environment.

@@ron Smith
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

bypassing PIX limitation Paolo Supino (Nov 09)
- <Possible follow-ups>
- Re: bypassing PIX limitation Horvath, Kevin M. (Nov 09)
  - Re: bypassing PIX limitation Paolo Supino (Nov 09)
    - Re: bypassing PIX limitation Josh (Nov 09)
- Re: bypassing PIX limitation David Swafford (Nov 09)
  - Re: bypassing PIX limitation Paolo Supino (Nov 11)
    - Re: bypassing PIX limitation Marcus J. Ranum (Nov 11)
    - Re: bypassing PIX limitation Chris Blask (Nov 11)
    - Help Dave Piscitello (Nov 15)
    - Re: Help Utz, Ralph (Nov 15)
    - Re: Help Aaron Smith (Nov 15)
- Re: bypassing PIX limitation Horvath, Kevin M. (Nov 09)
  - Re: bypassing PIX limitation Paolo Supino (Nov 11)
- Re: bypassing PIX limitation David Swafford (Nov 11)