Firewall Wizards mailing list archives
Re: Win 2003 and PiX
From: Carson Gaspar <carson () taltos org>
Date: Fri, 09 May 2003 20:03:15 -0400
Yes. The Cisco PIX has ... "interesting" ... support for DNS (and any number of other protocols). One must do at least one of the following:
- Use a different firewall (the option I recommend, if politics and budgets allow) - Convince Cisco to fix it, and run the code that does so (good luck, since it's a "feature request") - Turn off DNS fixups on the PIX (make sure you're not using their DNS response rewriting features) - Turn off large DNS replies support on your DNS servers (and make sure you allow DNS over TCP, as many queries will have to be re-sent)
--On Friday, May 09, 2003 12:47 PM -0400 "Iannaccone, Al" <Al.Iannaccone () occ treas gov> wrote:
Hello; This is something I found on Bugtraq... has anyone else seen this? Thanks. This is another sysadmin discussing... ----====SNIP====---- After much investigation as to why it "suddenly" stopped working, we determined that Win 2003 requests everything but the kitchen cupboard in its DNS requests, apparently using RFC 2671 to specify the ability to accept >512 byte UDP replies. We are running the latest version (6.3.1) on our Cisco PIX and it appears that there is hard limit of 512 bytes on ANY UDP packets arriving on port 53. Everything exceeding that is dropped.
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Win 2003 and PiX Iannaccone, Al (May 09)
- Re: Win 2003 and PiX Carson Gaspar (May 09)
- Re: Win 2003 and PiX Mikael Olsson (May 09)
- Re: Win 2003 and PiX Tony Rall (May 09)
- Re: Win 2003 and PiX Luca Berra (May 10)
- Re: Win 2003 and PiX Paul Robertson (May 10)
- Re: Win 2003 and PiX Luca Berra (May 11)
- Re: Win 2003 and PiX Paul Robertson (May 10)