Re: fixup DNS issue

jlhainy · ‎10-20-2010

Got an interesting scenerio. I have a DMZ that has some public facing serves that are a part of a windows domain. We are trying to get these machines to register dns records dynamically.

Long story short, we found that when the fixup DNS is enabled, they don't register, but when we disable fixup for DNS, they register just fine.

I tried lengthening the maximum length to the very max and still got nothing.

Now, I don't mind creating static DNS records for these servers, that is not a big deal.... what I am wondering is what kind of security risk is there to have fixup for DNS disabled?

Maykol Rojas · ‎10-20-2010

Hello

Mike here, when you say fixup it makes me think that you are using Pix version 6.3 is that correct? Would you pleae take the logs when the Server is trying to register and when the firewall drops the packet?

Cheers

Mike

jlhainy · ‎10-23-2010

Hi Mike,

I have a FWSM and it doesn't show that the firewall drops the packet. The only hint I had was a DNS error on the server. If I disable fixup for DNS, everything is fine. Now, my main question is what is the security risk of turning this off? I can still create static dns records, which I am not opposed to.

praprama · ‎10-23-2010

Hi,

Here's what will happen with fixup for DNS:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm23/command/reference/df.html#wp1067379

What i would like to know what kind of packets are being dropped by the FWSM. What version are you running on the FWSM? You can apply captures on the FWSM and get them in a .pcap format.

https://supportforums.cisco.com/docs/DOC-1222

Let me know how it goes!!

Thanks and Regards,

Prapanch

Maykol Rojas · ‎10-24-2010

Hello,

I wouldnt suggest you to leave it off. It is very important to have it on since they match the DNS packet against the RFC and assure that the packet is actually a dns packet. Otherwise many attacks can be leverage against your network,

You cant see any dns packets dropped on the show service-policy?

Let me know.

Mike

jlhainy · ‎10-26-2010

nope. However, this firewall is running a very old version. I know it needs upgraded, I am just waiting for a window of oppertunity to do so.

jlhainy · ‎10-26-2010

The other strange thing is that other servers, that are in different FWSM interfaces, are having no issue. It is only servers on this one interface. That is really what has me stumped.

Maykol Rojas · ‎10-26-2010

Are they running the same OS? Sometimes the Inspection engines on the Firewalls get stuck, it would be a bad idea to reload the module just for testing purposes.

Cheers

Mike

jlhainy · ‎10-28-2010

They are running the Same OS. All servers are 2008 R2 Data Center. It really isn't too big of a concern. Creating static DNS records for these boxes is acceptable. I at least know what is causing the issue, I just don't know the why. I know I need to update the code so I may just work on doing that and then revisit the issue later on.

Thanks for all of the help.

Maykol Rojas · ‎10-28-2010

Hello,

Ok, sounds great. Let us know how the upgrade of the code goes. If you want to continue troubleshooting, you can enable the logs at debugging level and check why the connection is being dropped and also set some captures and match them againts the other captures where the servers work.

It has been nice working with you, let us know how does it go.

Thanks!

Mike