DNS Loophole fix for PIX 515e

Unanswered Question
Jul 29th, 2008

With the current problem with DNS - allowing redirection to phising site - was wondering if the upgrade to V7 would also have a patch for this?

Cisco PIX Firewall Version 6.3(5)

Cisco PIX Device Manager Version 3.0(1)

Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz

Any ideas - many thanks?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
w-schultz Tue, 07/29/2008 - 07:02

Depends on what you are thinking a 'fix' is.

Version 7 has the id-randomization feature which you can do on your DNS server anyway. If you have a 1-to-1 static with your DNS server you can utilize random source ports from your DNS server which has no firewall intervention. If you have a recursive DNS server going through a PAT address then there is the problem of source port randomization becoming serialized which version 7 does not seem to help and of which there does not seem to be a workaround for.

I've got a similar question posed as well:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc16a09

Actions

This Discussion