Re: [fw-wiz] Win 2003 and PIXen
From: Dario Calia (dcalia_at_cisco.com)
Date: 05/13/03
- Previous message: Paul Robertson: "RE: [fw-wiz] Rationale for BSD (I)PF rule order?"
- Maybe in reply to: Brian Ford: "Re: [fw-wiz] Win 2003 and PIXen"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Mon, 12 May 2003 20:31:39 -0700
Hello Tony and others,
You will need to open a case with the Cisco Technical Assistance Center and
request the latest PIX OS v6.3 build. Builds starting with PIX 6.3(1)100 have included
support for EDNS0. The DNS Guard/fixup has been made configurable and you
have the option of still specifying bounds checking. That is, a new cli has
been introduces as follows
fixup protocol dns maximum-length <length>
Depding on your specific needs you can simply disable the DNS Guard feature
using
no fixup protocol dns
or enable it w/out any total payload bounds checking
fixup protocol dns
or enable it w/ total payload length checking
fixup protocol dns maximum-length <length>
The enhancement DDTS of interest is CSCea25589 (EDNS0 Support on PIX).
The DDTS release note currently provides the documentation. The online docs
will be updated to address the new support closer to the next maintenance
release cycle.
Thanks, Dario
At 04:37 PM 5/10/2003 -0600, Tony Rall wrote:
>On Saturday, 2003-05-10 at 08:08 AST, Brian Ford <brford@cisco.com> wrote:
>> This should not be an issue with PIX OS v6.3. This is why we added the
>> capability to disable or modify the DNS Guard feature in PIX OS v6.3.
>>
>> We recently noted more implementations of BIND using DNSSec features
>(i.e.
>> allowing the DNS extended attribute bit to be set and accepting
>responses
>> larger than 512 bytes).
>>
>> DNS Guard in the PIX makes sure that for every DNS request that
>traverses
>> the Firewall only one response is allowed in return. We also check to
>make
>> sure that the response is less than a (now variable) size. That
>response
>> used to be limited to 512 bytes.
>>
>> In PIX OS v6.3 you can disable the DNS Guard or modify the size of
>allowed
>> DNS response (up to the 1500 byte Ethernet packet size).
>
>Sounds great, but I don't see any mention of that in the 6.3 Release
>Notes, nor in any Cmd Ref or Guide. Would you point us to documentation
>of this?
>
>http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/fixup.pdf
>seems to be saying that dns fixup is still not configurable.
>
>Tony Rall
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Paul Robertson: "RE: [fw-wiz] Rationale for BSD (I)PF rule order?"
- Maybe in reply to: Brian Ford: "Re: [fw-wiz] Win 2003 and PIXen"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
