04-15-2010 09:01 AM - edited 03-11-2019 10:33 AM
Hi,
as recent increases in DNSSEC deployment are exposing problems with DNS resolvers that cannot receive large responses:
WHICH ARE THE CONFIGURATION OPTION AVAILABLE FOR DNS ON CISCO IOS FIREWALL and IOS ZONE BASED FIREWALL ?
The maximim reply size between a DNS server and resolver may be limited by a number of factors:
- If a resolver does not support the Extension Mechanisms for DNS (EDNS), replies are limited to 512 bytes.
- The resolver may be behind a firewall that blocks IP fragments.
- Some DNS-aware firewalls block responses larger than 512 bytes.
DNSSEC responses may not fit into one 512-byte UDP packet. When UDP queries fail, clients may revert automatically to TCP. Where both TCP and EDNS0 are not supported, DNS queries on signed domains may fail.
* SOLUTIONS
** JUNIPER
SCREENOS
This setting is enforced by Deep Inspection and can be changed with the following command:
set di service dns udp_message_limit 512 - 4096
The default size is 512
* CISCO
PIX / ASA / FWSM
http://www.cisco.com/web/about/security/intelligence/dns-bcp.html#5
DNS message size limitations:
DNS amplification and reflection attacks are more effective when leveraging large DNS messages than small DNS message sizes. The message-length parameters submode command for policy-map type inspect dns can be used to ensure that message sizes to not exceed a specified size thus reducing the efficiency of these attacks.
This feature is available beginning with software release 7.2(1) for Cisco ASA and Cisco PIX Firewalls. This feature is available beginning with software release 3.1 for FWSM Firewalls. This function is enabled by default with a limit of 512 bytes.
For example, in earlier versions of PIX (6.3.2 and below), you had to manually configure the DNS fixup to permit DNS packets with the longer length :
fixup protocol dns maximum-length 4096
in more recent versions, it would be covered by :
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096
or to increase the response size length:
policy-map global_policy
class inspection_default
inspect dns maximum-length 4096
Regards
Roberto Taccon
04-16-2010 03:27 PM
IOS (CBAC or ZBF) dns inspection will not drop DNSSec packets.
So, it will not break DNSSec.
PK
04-18-2010 05:25 AM
Hi,
as it's not supported can you confirm if with IOS firewall and IOS ZBF the DNS packets are limit by "message-length maximum 512" bytes ?
Thanks
Roberto Taccon
04-21-2010 06:48 AM
I have the following default config on my ASA version 8.2(2).
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map netflow-policy
class netflow-export-class
flow-export event-type all destination ITL01-FMSDEMO
policy-map global_policy
description Netflow
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
As can be seen the maximum length is 512 bytes, however if I dig an EDNS server I confirm I get much more than 512 bytes!
From my PC running dig
c:\dig> dig @158.43.128.1 +short rs.dns-oarc.net txt
rst.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net.
rst.x3843.x3837.x3827.rs.dns-oarc.net.
"62.189.58.236 DNS reply size limit is at least 3843"
"62.189.58.236 sent EDNS buffer size 4096"
"Tested at 2010-04-21 13:44:22 UTC"
So current ASAs you do not need to change the configuration at all, the policy-map is just for DNS not EDNS that DNSSEC uses.
04-21-2010 07:07 AM
Hi,
can you paste the output of "show service-policy inspect dns" ?
http://www.cisco.com/web/about/security/intelligence/dns-bcp.html#5
DNS message size limitations:
DNS amplification and reflection attacks are more effective when leveraging large DNS messages than small DNS message sizes. The message-length parameters submode command for policy-map type inspect dns can be used to ensure that message sizes to not exceed a specified size thus reducing the efficiency of these attacks.
This feature is available beginning with software release 7.2(1) for Cisco ASA and Cisco PIX Firewalls. This feature is available beginning with software release 3.1 for FWSM Firewalls. This function is enabled by default with a limit of 512 bytes.
- Are there someone @Cisco that can tell us if the ASA is aware about the EDNS (from which version) ?
- Are there someone @Cisco that can tell us if the IOS FIREWALL and IOS ZONE BASED FIREWALL is aware about the EDNS (from which version) ?
Thanks to all.
Roberto Taccon
04-21-2010 07:34 AM
show service-policy inspect dns
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 1706599, drop 3746, reset-drop 0
message-length maximum 512, drop 0
dns-guard, count 560373
protocol-enforcement, drop 0
nat-rewrite, count 0
04-21-2010 07:56 AM
Hi to All,
- Are there someone @Cisco that can tell us if the ASA is aware about the EDNS (from which version) ?
- Are there someone @Cisco that can tell us if the IOS FIREWALL and IOS ZONE BASED FIREWALL is aware about the EDNS (from which version) ?
- or open a TAC case and ask ...
Regards
Roberto Taccon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: