Win 2003 DNS requests makes replies over 512 byte PIX limit

From: Loucks, Jason (loucks_at_COMMPROD.COM)
Date: 05/08/03

  • Next message: Henry Troup: "Re: Multiple Vulnerabilities found in Microsoft .Net Passport Ser vices" 
    Date:         Thu, 8 May 2003 08:59:01 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    We recently upgraded our DNS servers to Win 2003. After this time, it
    became apparent that we are unable to send email to some domains which
    had been working fine before.

     

    After much investigation as to why it "suddenly" stopped working, we
    determined that Win 2003 requests everything but the kitchen cupboard in
    its DNS requests, apparently using RFC 2671 to specify the ability to
    accept >512 byte UDP replies.

     

    We are running the latest version (6.3.1) on our Cisco PIX and it
    appears that there is hard limit of 512 bytes on ANY UDP packets
    arriving on port 53. Everything exceeding that is dropped.

     

    Has anyone else seen this problem?

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by IP3 Inc.
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    SECURITY QUESTIONS? We've got answers...Apply for a scholarship and become
    TICSA certified.

    Do not miss your opportunity to discover solutions to what our participants
    have identified as their top 5 IT Security Challenges. You will return to
    work better prepared to put into place an effective security strategy
    utilizing the latest security tools, bookmarks and URL's.

    <http://www.ip3seminars.com>

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

  • Next message: Henry Troup: "Re: Multiple Vulnerabilities found in Microsoft .Net Passport Ser vices"

    Relevant Pages

    • [Full-Disclosure] Fw: [NTBUGTRAQ] Win 2003 DNS requests makes replies over 512 byte PIX limit
      ... > byte PIX limit ... > We recently upgraded our DNS servers to Win 2003. ... > accept>512 byte UDP replies. ... > have identified as their top 5 IT Security Challenges. ...
      (Full-Disclosure)
    • Re: Should I use DNS forwarders?
      ... concerned about security. ... Using my ISP's DNS servers as forwarders, ... I didn't mention that there are some negatives to forwarding ... want your internal servers visiting the ENTIRE Internet, ...
      (microsoft.public.windows.server.dns)
    • RE: OpenSSH anomaly
      ... expires resulting all sessions being terminated. ... suddenly have apparent sizes and ownership info in the absurd range: ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
      (Incidents)
    • Re: OpenSSH anomaly
      ... > passwords had expired and that openssh is broken as far as dealing with ... suddenly have apparent sizes and ownership info in the absurd range: ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
      (Incidents)
    • Re: What did this do to my PC?
      ... Does anyone know exactly what it did to my security center? ... Instead of using choice or ISP DNS servers, it places malicious servers in the ... Thus redirecting you from legitimate web sites to malicious web ...
      (microsoft.public.windowsxp.security_admin)