nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS problems to RoadRunner - tcp vs udp

From: Justin Shore <justin () justinshore com>
Date: Fri, 13 Jun 2008 15:08:35 -0500
Justin Shore wrote:

Jon Kibler wrote:

Various hardening documents for Cisco routers specify the best practices
are to only allow 53/tcp connections to/from secondary name servers.
Plus, from all I can tell, Cisco's 'ip inspect dns' CBAC appears to only
handle UDP data connections and anything TCP would be denied. From what
you are saying, the hardening recommendations are wrong and that CBAC
may break some DNS responses. Is this correct?
A number of Cisco default from years gone by would break DSN, today, in it's current form. Such as how PIXs and ASAs with fixup/DPI would block udp/53 packets larger than 512 bytes, not permitting EDNS packets through.
Thunderbird apparently thought that I was ready to send my message before I did. I was going to add some ASA config as an example. 

policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 2048

I don't have an IOS CBAC example but there's surely something similar.


Justin
Previous By Date Next
Previous By Thread Next

Current thread: