PIX configuration: fixup protocol dns - Max size/Risks?

Unanswered Question
Oct 28th, 2004

Some months ago I had users complaining they couldn't access www.yahoo.com and other Yahoo! related sites. After some investigation I found syslog error messages from our PIX525 running 6.3(3) indicating DNS lookups were being denied because the return packets exceeded 512 bytes. The denied messages indicated the packets were 528 bytes. I reconfigured the PIX to "fixup protocol dns maximum-length 528" and everything started working.

Well, yesterday they started having the issue again. I found no syslog error messages this time. I did see messages between our DNS server and the Yahoo! name servers, but the packet size was only 50 bytes. Through testing I found if I increased the dns maximum-length to 580 it starts to work.

What are the security risks associated with increasing the dns maximum-length? Is there a maximum value I need to remain under? In reading RFC 2671, it states "Choosing 1280 on an Ethernet connected requestor would be reasonable". To avoid issues in the future, should I just use the RFC mentioned value and set the dns maximum-lenght to 1280? Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
jsivulka Thu, 11/04/2004 - 07:22

The fixup protocol dns command specifies the maximum DNS packet length. I cant imagine how increasinf the length from 528 to 1280 will suddenly start allowing 50 byte packets. If I were you, I would start looking deeper. Also, does the 50 byte packet size not look unusually small?

Patrick Iseli Thu, 11/04/2004 - 18:54

This post does not refer to your question but maybe to your problem.

An external DNS query may cause an error message in Windows Server. SEE:http://support.microsoft.com/?id=828731

Windows 2003 supports so called EDNS-0. This extension to DNS allows requests larger than 484 bytes (512 byte packet) to be transported in UDP DNS packets.

The PIX firewall does not allow this type of traffic by default, as it is classified an anomaly.

There are two solutions to this problem:

(1) On the Windows 2003 machine which is sending out the DNS packets, you can run dnscmd /Config /EnableEDnsProbes 0. This will make sure that this machine uses TCP for its 484+ byte DNS queries. (You will need the Windows support tools for this - suptools.msi)

(2) On the PIX firewall, change the DNS inspection configuration by running "fixup protocol dns maximum-length 1500". This will allow UDP DNS query packets of up to 1500 bytes. Do keep in mind that, when using non-ethernet network infrastructure, the EDNS0 limit is actually 4096 bytes, so you may need a higher value.

Thanks to Maarten Van Horenbeeck that published that on the Security focus newsgroup.

sincerely

Patrick

neonetsup Fri, 11/05/2004 - 08:34

I too have a similar question/concern: After recent upgrade to PIX 6.3(4), I found my syslog flooded with "Dropped UDP DNS reply from outside... packet length exceeds 512 bytes..." messages.

Is the default value of 512KB a reasonable value to keep, or does it need bumped up to avoid these messages. What are the security implications if the fixup protocol DNS value is raised?

Thanks!!

Actions

Login or Register to take actions

This Discussion

Posted October 28, 2004 at 9:14 AM
Stats:
Replies:3 Avg. Rating:
Views:912 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard