Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1798
Views
0
Helpful
3
Replies

PIX configuration: fixup protocol dns - Max size/Risks?

terry.greene
Level 1
Level 1

‎10-28-2004 09:14 AM - edited ‎02-20-2020 11:42 PM

Some months ago I had users complaining they couldn't access www.yahoo.com and other Yahoo! related sites. After some investigation I found syslog error messages from our PIX525 running 6.3(3) indicating DNS lookups were being denied because the return packets exceeded 512 bytes. The denied messages indicated the packets were 528 bytes. I reconfigured the PIX to "fixup protocol dns maximum-length 528" and everything started working.

Well, yesterday they started having the issue again. I found no syslog error messages this time. I did see messages between our DNS server and the Yahoo! name servers, but the packet size was only 50 bytes. Through testing I found if I increased the dns maximum-length to 580 it starts to work.

What are the security risks associated with increasing the dns maximum-length? Is there a maximum value I need to remain under? In reading RFC 2671, it states "Choosing 1280 on an Ethernet connected requestor would be reasonable". To avoid issues in the future, should I just use the RFC mentioned value and set the dns maximum-lenght to 1280? Thanks!

0 Helpful
3 Replies 3

jsivulka
Level 5
Level 5

‎11-04-2004 07:22 AM

The fixup protocol dns command specifies the maximum DNS packet length. I cant imagine how increasinf the length from 528 to 1280 will suddenly start allowing 50 byte packets. If I were you, I would start looking deeper. Also, does the 50 byte packet size not look unusually small?

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to jsivulka

‎11-04-2004 06:54 PM

This post does not refer to your question but maybe to your problem.

An external DNS query may cause an error message in Windows Server. SEE:http://support.microsoft.com/?id=828731

Windows 2003 supports so called EDNS-0. This extension to DNS allows requests larger than 484 bytes (512 byte packet) to be transported in UDP DNS packets.

The PIX firewall does not allow this type of traffic by default, as it is classified an anomaly.

There are two solutions to this problem:

(1) On the Windows 2003 machine which is sending out the DNS packets, you can run dnscmd /Config /EnableEDnsProbes 0. This will make sure that this machine uses TCP for its 484+ byte DNS queries. (You will need the Windows support tools for this - suptools.msi)

(2) On the PIX firewall, change the DNS inspection configuration by running "fixup protocol dns maximum-length 1500". This will allow UDP DNS query packets of up to 1500 bytes. Do keep in mind that, when using non-ethernet network infrastructure, the EDNS0 limit is actually 4096 bytes, so you may need a higher value.

Thanks to Maarten Van Horenbeeck that published that on the Security focus newsgroup.

sincerely

Patrick

0 Helpful

neonetsup
Level 1
Level 1

‎11-05-2004 08:34 AM

I too have a similar question/concern: After recent upgrade to PIX 6.3(4), I found my syslog flooded with "Dropped UDP DNS reply from outside... packet length exceeds 512 bytes..." messages.

Is the default value of 512KB a reasonable value to keep, or does it need bumped up to avoid these messages. What are the security implications if the fixup protocol DNS value is raised?

Thanks!!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card