Re: Win 2003 and PIXen

[Tony Rall <trall () almaden ibm com>]

On Saturday, 2003-05-10 at 08:08 AST, Brian Ford <brford () cisco com> wrote:
> This should not be an issue with PIX OS v6.3.  This is why we added the
> capability to disable or modify the DNS Guard feature in PIX OS v6.3.
>
> We recently noted more implementations of BIND using DNSSec features 
(i.e.
> allowing the DNS extended attribute bit to be set and accepting 
responses
> larger than 512 bytes).
>
> DNS Guard in the PIX makes sure that for every DNS request that 
traverses
> the Firewall only one response is allowed in return.  We also check to 
make
> sure that the response is less than a (now variable) size.  That 
response
> used to be limited to 512 bytes.
>
> In PIX OS v6.3 you can disable the DNS Guard or modify the size of 
allowed
> DNS response (up to the 1500 byte Ethernet packet size).

Sounds great, but I don't see any mention of that in the 6.3 Release 
Notes, nor in any Cmd Ref or Guide.  Would you point us to documentation 
of this?

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/fixup.pdf 
seems to be saying that dns fixup is still not configurable.

Tony Rall
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards