Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

First batch of results - testing firewall ability to allow EDNS0 responses

From: Dave Piscitello <dave () corecom com>
Date: Thu, 04 Jan 2007 09:40:10 -0500
Folks,
Thanks to those of you who already sent me results from the DNS query, which tests whether your firewall (and config) allow UDP-encapsulated DNS response messages greater than 512 bytes (and also tests whether your firewall/application proxy blocks AAAA records): 

dig hk ns +bufsize=4096 @203.119.2.18
I'm gathering test results to help determine a "least impact" path to introduce AAAA records of root name servers in the root hints and initial (priming) response.
The first set of results are included below. There were many duplicates for the popular firewalls and versions.
I am still looking to expand this table with firewall products from Symantec, Cyberguard, Lucent, Barricade, TopLayer, SteelGate, HotBrick, InGate, et. al.
If you run a firewall that is not yet on this list, would be willing to try the dig and send me the result/output as well as the firewall, version, and any unique policy you configured to allow the response to pass, I would be extremely grateful. I will not be associating nor publishing any company or personal information with the results (what you see in the table below is essentially what will be published). 

---------------------------------------------------

Product         Version         Action when AAAA        Action when DNS         
                                RR encountered          response > 512

Juniper/
Netscreen       5.4r2
                5.30r3
                4.0.3r4.0       Allow                   Allow

Sonicwall       3.1.0.7-77s     Allow                   Allow

Cisco PIX       7.2.1           Allow                   Allow

Cisco PIX       6.2.5           Allow                   Deny

Cisco PIX       6.3.5           Allow                   Allow**1

Cisco C2600     IOS 12.2(37)    Allow                   Allow

Watchguard
Firebox X 1000  Fireware v8.2   Allow                   Allow

Secure Computing
Sidewinder      5.2.1,
                6.1.2.00        Allow                   Allow

Fortinet
Fortigate 60    3.0.x           Allow                   Allow

Checkpoint
Firewall-1      NG, R55         Allow                   Allow
**1 Firewall configuration includes "fixup protocol dns maximum-length 1500".

Attachment: dave.vcf
Description:

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: