DNS Loophole fix for PIX 515e

Unanswered Question
Jul 29th, 2008
User Badges:

With the current problem with DNS - allowing redirection to phising site - was wondering if the upgrade to V7 would also have a patch for this?

Cisco PIX Firewall Version 6.3(5)

Cisco PIX Device Manager Version 3.0(1)

Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz

Any ideas - many thanks?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
w-schultz Tue, 07/29/2008 - 07:02
User Badges:

Depends on what you are thinking a 'fix' is.

Version 7 has the id-randomization feature which you can do on your DNS server anyway. If you have a 1-to-1 static with your DNS server you can utilize random source ports from your DNS server which has no firewall intervention. If you have a recursive DNS server going through a PAT address then there is the problem of source port randomization becoming serialized which version 7 does not seem to help and of which there does not seem to be a workaround for.

I've got a similar question posed as well:



This Discussion