Some months ago I had users complaining they couldn't access www.yahoo.com and other Yahoo! related sites. After some investigation I found syslog error messages from our PIX525 running 6.3(3) indicating DNS lookups were being denied because the return packets exceeded 512 bytes. The denied messages indicated the packets were 528 bytes. I reconfigured the PIX to "fixup protocol dns maximum-length 528" and everything started working.
Well, yesterday they started having the issue again. I found no syslog error messages this time. I did see messages between our DNS server and the Yahoo! name servers, but the packet size was only 50 bytes. Through testing I found if I increased the dns maximum-length to 580 it starts to work.
What are the security risks associated with increasing the dns maximum-length? Is there a maximum value I need to remain under? In reading RFC 2671, it states "Choosing 1280 on an Ethernet connected requestor would be reasonable". To avoid issues in the future, should I just use the RFC mentioned value and set the dns maximum-lenght to 1280? Thanks!