Re: [fw-wiz] Help



On Wed, 2006-11-15 at 08:26 -0600, Utz, Ralph wrote:
I haven't run your test, but I have delt with this problem on a
consulting basis in the past. Here's some info: PIX 6.3.5 and below
block any DNS packet larger than 512 by default. When EDNS forces a
packet larger than 512 the firewall will drop the packet. In Windows
installations I've seen this cause the DNS service to hang and stop
responding to requests. The PIX can be configured to allow larger DNS
packets.

And, conversely, Windows EDNS0 can be disabled, as we did in our
environment.

@@ron Smith
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: We have lots of users with SonicWalls for VPN connectivity in to FW-1, possible major security h
    ... A faster processor in the current Sonicwall firewalls has helped ... DNS name resolution on the fly was enabled for Logging. ... >to pass from the LAN to the WAN. ... >why is my internal server responding to this packet as a "Destination ...
    (Incidents)
  • Re: Bad packets and invalid domain names Please help
    ... At any rate, it isn't clear whether these errors, or DNS at all, has anything to do with your issues. ... > Source DNS ... > The DNS server has encountered numerous run-time events. ... > The DNS server encountered a bad packet from X.X.X.X. ...
    (microsoft.public.win2000.dns)
  • Re: Neotrace program snoops on me
    ... >> DNS servers. ... A client starts a traceroute to some computer. ... the TTL field in the IP packet by one. ... > those hops from McAfee's database. ...
    (alt.computer.security)
  • Re: Cant Resolve Certain internet DNS names
    ... >> Why are some websites using non-RFC compliant packets for DNS? ... > It is not websites it is your DNS server and it is RFC compliant. ... > queries do not fit into one UDP packet, it has always been that way. ... > into one UDP packet and will be trucated if even a few bytes of a DNS ...
    (microsoft.public.windows.server.dns)
  • Re: Cant Resolve Certain internet DNS names
    ... It is not websites it is your DNS server and it is RFC compliant. ... queries do not fit into one UDP packet, it has always been that way. ... > "SmartDefense is able to recognize an illegal DNS packet. ...
    (microsoft.public.windows.server.dns)