Firewall Wizards mailing list archives
First batch of results - testing firewall ability to allow EDNS0 responses
From: Dave Piscitello <dave () corecom com>
Date: Thu, 04 Jan 2007 09:40:10 -0500
Folks,Thanks to those of you who already sent me results from the DNS query, which tests whether your firewall (and config) allow UDP-encapsulated DNS response messages greater than 512 bytes (and also tests whether your firewall/application proxy blocks AAAA records):
dig hk ns +bufsize=4096 @203.119.2.18I'm gathering test results to help determine a "least impact" path to introduce AAAA records of root name servers in the root hints and initial (priming) response.
The first set of results are included below. There were many duplicates for the popular firewalls and versions.
I am still looking to expand this table with firewall products from Symantec, Cyberguard, Lucent, Barricade, TopLayer, SteelGate, HotBrick, InGate, et. al.
If you run a firewall that is not yet on this list, would be willing to try the dig and send me the result/output as well as the firewall, version, and any unique policy you configured to allow the response to pass, I would be extremely grateful. I will not be associating nor publishing any company or personal information with the results (what you see in the table below is essentially what will be published).
--------------------------------------------------- Product Version Action when AAAA Action when DNS RR encountered response > 512 Juniper/ Netscreen 5.4r2 5.30r3 4.0.3r4.0 Allow Allow Sonicwall 3.1.0.7-77s Allow Allow Cisco PIX 7.2.1 Allow Allow Cisco PIX 6.2.5 Allow Deny Cisco PIX 6.3.5 Allow Allow**1 Cisco C2600 IOS 12.2(37) Allow Allow Watchguard Firebox X 1000 Fireware v8.2 Allow Allow Secure Computing Sidewinder 5.2.1, 6.1.2.00 Allow Allow Fortinet Fortigate 60 3.0.x Allow Allow Checkpoint Firewall-1 NG, R55 Allow Allow**1 Firewall configuration includes "fixup protocol dns maximum-length 1500".
Attachment:
dave.vcf
Description:
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- First batch of results - testing firewall ability to allow EDNS0 responses Dave Piscitello (Jan 05)