cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8673
Views
0
Helpful
6
Replies

ios firewall DNSSEC

ROBERTO TACCON
Level 4
Level 4

Hi,

as recent increases in DNSSEC deployment are exposing problems with DNS resolvers that cannot receive large responses:

WHICH ARE THE CONFIGURATION OPTION AVAILABLE FOR DNS ON CISCO IOS FIREWALL and IOS ZONE BASED FIREWALL ?

The maximim reply size between a DNS server and resolver may be limited by a number of factors:

- If a resolver does not support the Extension Mechanisms for DNS (EDNS), replies are limited to 512 bytes.

- The resolver may be behind a firewall that blocks IP fragments.

- Some DNS-aware firewalls block responses larger than 512 bytes.

DNSSEC responses may not fit into one 512-byte UDP packet. When UDP queries fail, clients may revert automatically to TCP. Where both TCP and EDNS0 are not supported, DNS queries on signed domains may fail.

* SOLUTIONS

** JUNIPER

SCREENOS

This setting is enforced by Deep Inspection and can be changed with the following command:

set di service dns udp_message_limit 512 - 4096

The default size is 512

* CISCO

PIX / ASA / FWSM

http://www.cisco.com/web/about/security/intelligence/dns-bcp.html#5

DNS message size limitations:
DNS amplification and reflection attacks are more effective when leveraging large DNS messages than small DNS message sizes. The message-length parameters submode command for policy-map type inspect dns can be used to ensure that message sizes to not exceed a specified size thus reducing the efficiency of these attacks.

This feature is available beginning with software release 7.2(1) for Cisco ASA and Cisco PIX Firewalls. This feature is available beginning with software release 3.1 for FWSM Firewalls. This function is enabled by default with a limit of 512 bytes.


For example, in earlier versions of PIX (6.3.2 and below), you had to manually configure the DNS fixup to permit DNS packets with the longer length :

fixup protocol dns maximum-length 4096


in more recent versions, it would be covered by :

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096

or to increase the response size length:

policy-map global_policy
class inspection_default
inspect dns maximum-length 4096

Regards

Roberto Taccon

6 Replies 6

Panos Kampanakis
Cisco Employee
Cisco Employee

IOS (CBAC or ZBF) dns inspection will not drop DNSSec packets.

So, it will not break DNSSec.

PK

ROBERTO TACCON
Level 4
Level 4

Hi,

as it's not supported can you confirm if with IOS firewall and IOS ZBF the DNS packets are limit by "message-length maximum 512" bytes ?

Thanks

Roberto Taccon

andyirving
Level 1
Level 1

I have the following default config on my ASA version 8.2(2).

policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map netflow-policy
class netflow-export-class
  flow-export event-type all destination ITL01-FMSDEMO
policy-map global_policy
description Netflow
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp

As can be seen the maximum length is 512 bytes, however if I dig an EDNS server I confirm I get much more than 512 bytes!

From my PC running dig

c:\dig> dig @158.43.128.1 +short rs.dns-oarc.net txt

rst.x3827.rs.dns-oarc.net.

rst.x3837.x3827.rs.dns-oarc.net.

rst.x3843.x3837.x3827.rs.dns-oarc.net.

"62.189.58.236 DNS reply size limit is at least 3843"

"62.189.58.236 sent EDNS buffer size 4096"

"Tested at 2010-04-21 13:44:22 UTC"

So current ASAs you do not need to change the configuration at all, the policy-map is just for DNS not EDNS that DNSSEC uses.

Hi,

can you paste the output of "show service-policy inspect dns" ?

http://www.cisco.com/web/about/security/intelligence/dns-bcp.html#5

DNS message size limitations:
DNS amplification and reflection attacks are more effective when leveraging large DNS messages than small DNS message sizes. The message-length parameters submode command for policy-map type inspect dns can be used to ensure that message sizes to not exceed a specified size thus reducing the efficiency of these attacks.

This feature is available beginning with software release 7.2(1) for Cisco ASA and Cisco PIX Firewalls. This feature is available beginning with software release 3.1 for FWSM Firewalls. This function is enabled by default with a limit of 512 bytes.

- Are there someone @Cisco that can tell us if the ASA is aware about the EDNS (from which version) ?


- Are there someone @Cisco that can tell us if the IOS FIREWALL and IOS ZONE BASED FIREWALL is aware about the EDNS (from which version) ?

Thanks to all.

Roberto Taccon

show service-policy inspect dns

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 1706599, drop 3746, reset-drop 0
        message-length maximum 512, drop 0
        dns-guard, count 560373
        protocol-enforcement, drop 0
        nat-rewrite, count 0

Hi to All,

- Are there someone @Cisco that can tell us if the ASA is aware about the EDNS (from which version) ?


- Are there someone @Cisco that can tell us if the IOS FIREWALL and IOS ZONE BASED FIREWALL is aware about the EDNS (from which version) ?

- or open a TAC case and ask ...

Regards

Roberto Taccon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: