Re: [fw-wiz] Win 2003 and PiX

From: Carson Gaspar (carson_at_taltos.org)
Date: 05/10/03

  • Next message: Mikael Olsson: "Re: [fw-wiz] Win 2003 and PiX" 
    To: firewall-wizards@honor.icsalabs.com
Date: Fri, 09 May 2003 20:03:15 -0400

    Yes. The Cisco PIX has ... "interesting" ... support for DNS (and any
    number of other protocols). One must do at least one of the following:

    - Use a different firewall (the option I recommend, if politics and budgets
    allow)
    - Convince Cisco to fix it, and run the code that does so (good luck, since
    it's a "feature request")
    - Turn off DNS fixups on the PIX (make sure you're not using their DNS
    response rewriting features)
    - Turn off large DNS replies support on your DNS servers (and make sure you
    allow DNS over TCP, as many queries will have to be re-sent)

    --On Friday, May 09, 2003 12:47 PM -0400 "Iannaccone, Al"
    <Al.Iannaccone@occ.treas.gov> wrote:

    > Hello;
    >
    > This is something I found on Bugtraq... has anyone else seen this? Thanks.
    > This is another sysadmin discussing...
    >
    > ----====SNIP====----
    >
    > After much investigation as to why it "suddenly" stopped working, we
    > determined that Win 2003 requests everything but the kitchen cupboard in
    > its DNS requests, apparently using RFC 2671 to specify the ability to
    > accept >512 byte UDP replies.
    >
    > We are running the latest version (6.3.1) on our Cisco PIX and it
    > appears that there is hard limit of 512 bytes on ANY UDP packets
    > arriving on port 53. Everything exceeding that is dropped.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Mikael Olsson: "Re: [fw-wiz] Win 2003 and PiX"

    Relevant Pages

    • Website setup questions.
      ... Create firewall rule to direct HTTP port 80 to the SBS External NIC ... Create firewall rule to point DNS port 53 to the SBS External NIC ... NICS to get this request to not timeout or be refused. ...
      (microsoft.public.windows.server.sbs)
    • Re: For Microsoft Partners and Customers Who Cant Download or Access
      ... Using ipconfig /all showed the DNS IP is in fact the same IP ... as the firewall as you mentioned. ... Microsoft for msdn2.microsoft.com. ... use a static IP and set the DNS server addresses to the DNS ...
      (microsoft.public.dotnet.general)
    • Re: Setting another machine as a firewall
      ... I don't think a firewall is really the right technology to ... The alternative to implementing a proxy mail server on your firewall ... internet, then that is just a matter of writing filter rules to allow ... As far as DNS goes, combining a NAT'ing firewall with a mailserver on ...
      (freebsd-questions)
    • Re: Windows 2003 external nslookup times out, internal works
      ... My firewall does not log responses to DNS (or any other ... ports), only the initial requests. ...
      (microsoft.public.windows.server.dns)
    • Re: loss of SOME connectivity
      ... I "think" it is DNS. ... Yes, I can ping the router, AND the ISP DNS. ... I cannot connect the inet cable directly to the server because the inet is ... MS firewall not started. ...
      (microsoft.public.windows.server.sbs)