Firewall Wizards mailing list archives

Re: Win 2003 and PiX

From: Carson Gaspar <carson () taltos org>
Date: Fri, 09 May 2003 20:03:15 -0400

Yes. The Cisco PIX has ... "interesting" ... support for DNS (and anynumber of other protocols). One must do at least one of the following:

- Use a different firewall (the option I recommend, if politics and budgetsallow)- Convince Cisco to fix it, and run the code that does so (good luck, sinceit's a "feature request")- Turn off DNS fixups on the PIX (make sure you're not using their DNSresponse rewriting features)- Turn off large DNS replies support on your DNS servers (and make sure youallow DNS over TCP, as many queries will have to be re-sent)

--On Friday, May 09, 2003 12:47 PM -0400 "Iannaccone, Al"<Al.Iannaccone () occ treas gov> wrote:

Hello;

This is something I found on Bugtraq... has anyone else seen this? Thanks.
This is another sysadmin discussing...

----====SNIP====----

After much investigation as to why it "suddenly" stopped working, we
determined that Win 2003 requests everything but the kitchen cupboard in
its DNS requests,  apparently using RFC 2671 to specify the ability to
accept >512 byte UDP replies.

We are running the latest version (6.3.1) on our Cisco PIX and it
appears that there is hard limit of 512 bytes on ANY UDP packets
arriving on port 53.  Everything exceeding that is dropped.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Win 2003 and PiX Iannaccone, Al (May 09)
- Re: Win 2003 and PiX Carson Gaspar (May 09)
- Re: Win 2003 and PiX Mikael Olsson (May 09)
- Re: Win 2003 and PiX Tony Rall (May 09)
- Re: Win 2003 and PiX Luca Berra (May 10)
  - Re: Win 2003 and PiX Paul Robertson (May 10)
    - Re: Win 2003 and PiX Luca Berra (May 11)