Re: Win 2003 DNS requests makes replies over 512 byte PIX limit
From: Luca Berra (bluca_at_COMEDIA.IT)
Date: 05/15/03
- Previous message: Sharad Ahlawat: "Re: Cisco Systems VPN Client allows local logon with Elevated Privileges"
- In reply to: Loucks, Jason: "Win 2003 DNS requests makes replies over 512 byte PIX limit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 15 May 2003 09:23:57 +0200 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
On Thu, May 08, 2003 at 08:59:01AM -0500, Loucks, Jason wrote:
>We recently upgraded our DNS servers to Win 2003. After this time, it
>became apparent that we are unable to send email to some domains which
>had been working fine before.
you may be interested in this email someone from cisco sent to
firewall-wizards mailing list
regards,
L.
--
Luca Berra -- bluca@comedia.it
Communication Media & Services S.r.l.
/"\
\ / ASCII RIBBON CAMPAIGN
X AGAINST HTML MAIL
/ \
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
EXECUTIVE SEMINAR: "Information Security and the Disappearing Perimeter"
Join Peter S. Tippett, PhD, M.D., the industry's foremost authority on
network security, and TruSecure for a free breakfast seminar on "The Impact
of the Disappearing Perimeter." Learn how you can proactively protect your
organization against today's newest threats, including those from remote
users, business partners and wireless. To register, and to view the full
list of dates and cities, click below or call 1-888-396-8348.
http://www.trusecure.com/offer/s0096/
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
attached mail follows:
To: firewall-wizards@honor.icsalabs.com Date: Mon, 12 May 2003 20:31:39 -0700
Hello Tony and others,
You will need to open a case with the Cisco Technical Assistance Center and
request the latest PIX OS v6.3 build. Builds starting with PIX 6.3(1)100 have included
support for EDNS0. The DNS Guard/fixup has been made configurable and you
have the option of still specifying bounds checking. That is, a new cli has
been introduces as follows
fixup protocol dns maximum-length <length>
Depding on your specific needs you can simply disable the DNS Guard feature
using
no fixup protocol dns
or enable it w/out any total payload bounds checking
fixup protocol dns
or enable it w/ total payload length checking
fixup protocol dns maximum-length <length>
The enhancement DDTS of interest is CSCea25589 (EDNS0 Support on PIX).
The DDTS release note currently provides the documentation. The online docs
will be updated to address the new support closer to the next maintenance
release cycle.
Thanks, Dario
At 04:37 PM 5/10/2003 -0600, Tony Rall wrote:
>On Saturday, 2003-05-10 at 08:08 AST, Brian Ford <brford@cisco.com> wrote:
>> This should not be an issue with PIX OS v6.3. This is why we added the
>> capability to disable or modify the DNS Guard feature in PIX OS v6.3.
>>
>> We recently noted more implementations of BIND using DNSSec features
>(i.e.
>> allowing the DNS extended attribute bit to be set and accepting
>responses
>> larger than 512 bytes).
>>
>> DNS Guard in the PIX makes sure that for every DNS request that
>traverses
>> the Firewall only one response is allowed in return. We also check to
>make
>> sure that the response is less than a (now variable) size. That
>response
>> used to be limited to 512 bytes.
>>
>> In PIX OS v6.3 you can disable the DNS Guard or modify the size of
>allowed
>> DNS response (up to the 1500 byte Ethernet packet size).
>
>Sounds great, but I don't see any mention of that in the 6.3 Release
>Notes, nor in any Cmd Ref or Guide. Would you point us to documentation
>of this?
>
>http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/fixup.pdf
>seems to be saying that dns fixup is still not configurable.
>
>Tony Rall
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
EXECUTIVE SEMINAR: "Information Security and the Disappearing Perimeter"
Join Peter S. Tippett, PhD, M.D., the industry's foremost authority on
network security, and TruSecure for a free breakfast seminar on "The Impact
of the Disappearing Perimeter." Learn how you can proactively protect your
organization against today's newest threats, including those from remote
users, business partners and wireless. To register, and to view the full
list of dates and cities, click below or call 1-888-396-8348.
http://www.trusecure.com/offer/s0096/
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Sharad Ahlawat: "Re: Cisco Systems VPN Client allows local logon with Elevated Privileges"
- In reply to: Loucks, Jason: "Win 2003 DNS requests makes replies over 512 byte PIX limit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
