Re: Win 2003 DNS requests makes replies over 512 byte PIX limit

From: Luca Berra (bluca_at_COMEDIA.IT)
Date: 05/15/03

  • Next message: 3APA3A: "Re: Cisco Systems VPN Client allows local logon with Elevated Privileges"
    Date:         Thu, 15 May 2003 09:23:57 +0200
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    
    

    On Thu, May 08, 2003 at 08:59:01AM -0500, Loucks, Jason wrote:
    >We recently upgraded our DNS servers to Win 2003. After this time, it
    >became apparent that we are unable to send email to some domains which
    >had been working fine before.

    you may be interested in this email someone from cisco sent to
    firewall-wizards mailing list

    regards,
    L.

    --
    Luca Berra -- bluca@comedia.it
            Communication Media & Services S.r.l.
     /"\
     \ /     ASCII RIBBON CAMPAIGN
      X        AGAINST HTML MAIL
     / \
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    EXECUTIVE SEMINAR: "Information Security and the Disappearing Perimeter"
    Join Peter S. Tippett, PhD, M.D., the industry's foremost authority on
    network security, and TruSecure for a free breakfast seminar on "The Impact
    of the Disappearing Perimeter." Learn how you can proactively protect your
    organization against today's newest threats, including those from remote
    users, business partners and wireless. To register, and to view the full
    list of dates and cities, click below or call 1-888-396-8348.
    http://www.trusecure.com/offer/s0096/
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    
    

    attached mail follows:


    To: firewall-wizards@honor.icsalabs.com
    Date: Mon, 12 May 2003 20:31:39 -0700
    
    

    Hello Tony and others,

    You will need to open a case with the Cisco Technical Assistance Center and
    request the latest PIX OS v6.3 build. Builds starting with PIX 6.3(1)100 have included
    support for EDNS0. The DNS Guard/fixup has been made configurable and you
    have the option of still specifying bounds checking. That is, a new cli has
    been introduces as follows

      fixup protocol dns maximum-length <length>

    Depding on your specific needs you can simply disable the DNS Guard feature
    using

      no fixup protocol dns

    or enable it w/out any total payload bounds checking

      fixup protocol dns

    or enable it w/ total payload length checking

      fixup protocol dns maximum-length <length>

    The enhancement DDTS of interest is CSCea25589 (EDNS0 Support on PIX).
    The DDTS release note currently provides the documentation. The online docs
    will be updated to address the new support closer to the next maintenance
    release cycle.

    Thanks, Dario

    At 04:37 PM 5/10/2003 -0600, Tony Rall wrote:
    >On Saturday, 2003-05-10 at 08:08 AST, Brian Ford <brford@cisco.com> wrote:
    >> This should not be an issue with PIX OS v6.3. This is why we added the
    >> capability to disable or modify the DNS Guard feature in PIX OS v6.3.
    >>
    >> We recently noted more implementations of BIND using DNSSec features
    >(i.e.
    >> allowing the DNS extended attribute bit to be set and accepting
    >responses
    >> larger than 512 bytes).
    >>
    >> DNS Guard in the PIX makes sure that for every DNS request that
    >traverses
    >> the Firewall only one response is allowed in return. We also check to
    >make
    >> sure that the response is less than a (now variable) size. That
    >response
    >> used to be limited to 512 bytes.
    >>
    >> In PIX OS v6.3 you can disable the DNS Guard or modify the size of
    >allowed
    >> DNS response (up to the 1500 byte Ethernet packet size).
    >
    >Sounds great, but I don't see any mention of that in the 6.3 Release
    >Notes, nor in any Cmd Ref or Guide. Would you point us to documentation
    >of this?
    >
    >http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/fixup.pdf
    >seems to be saying that dns fixup is still not configurable.
    >
    >Tony Rall
    >_______________________________________________
    >firewall-wizards mailing list
    >firewall-wizards@honor.icsalabs.com
    >http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    EXECUTIVE SEMINAR: "Information Security and the Disappearing Perimeter"

    Join Peter S. Tippett, PhD, M.D., the industry's foremost authority on
    network security, and TruSecure for a free breakfast seminar on "The Impact
    of the Disappearing Perimeter." Learn how you can proactively protect your
    organization against today's newest threats, including those from remote
    users, business partners and wireless. To register, and to view the full
    list of dates and cities, click below or call 1-888-396-8348.

    http://www.trusecure.com/offer/s0096/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


  • Next message: 3APA3A: "Re: Cisco Systems VPN Client allows local logon with Elevated Privileges"

    Relevant Pages

    • Re: PIX all of a sudden cant handle dns traffic
      ... CSCsc61300 CPU increases with high volume of DNS requests using same ... SIP: PIX does not parse the expire value in Register 6.3.5.104/ ...
      (comp.dcom.sys.cisco)
    • Re: Cisco PIX 501: Cant ping global IP-Adress from NATed IP
      ... on the 'static' statement for the server, add the 'dns' keyword. ... of the external interface. ... PIX in general can have ...
      (comp.dcom.sys.cisco)
    • Re: [fw-wiz] Win 2003 and PIXen
      ... This should not be an issue with PIX OS v6.3. ... capability to disable or modify the DNS Guard feature in PIX OS v6.3. ... DNS Guard in the PIX makes sure that for every DNS request that traverses ... sure that the response is less than a size. ...
      (Firewall-Wizards)
    • Re: Cisco PIX 501: Cant ping global IP-Adress from NATed IP
      ... Will the PIX be able to translate the lookup-requests then and substitute ... the DNS resolves the request to the external IP. ... of the external interface. ...
      (comp.dcom.sys.cisco)
    • Re: [fw-wiz] Win 2003 and PIXen
      ... request the latest PIX OS v6.3 build. ... Builds starting with PIX 6.3100 have included ... Depding on your specific needs you can simply disable the DNS Guard feature ...
      (Firewall-Wizards)