10-20-2010 12:26 PM - edited 03-11-2019 11:57 AM
Got an interesting scenerio. I have a DMZ that has some public facing serves that are a part of a windows domain. We are trying to get these machines to register dns records dynamically.
Long story short, we found that when the fixup DNS is enabled, they don't register, but when we disable fixup for DNS, they register just fine.
I tried lengthening the maximum length to the very max and still got nothing.
Now, I don't mind creating static DNS records for these servers, that is not a big deal.... what I am wondering is what kind of security risk is there to have fixup for DNS disabled?
10-20-2010 12:39 PM
Hello
Mike here, when you say fixup it makes me think that you are using Pix version 6.3 is that correct? Would you pleae take the logs when the Server is trying to register and when the firewall drops the packet?
Cheers
Mike
10-23-2010 04:20 PM
Hi Mike,
I have a FWSM and it doesn't show that the firewall drops the packet. The only hint I had was a DNS error on the server. If I disable fixup for DNS, everything is fine. Now, my main question is what is the security risk of turning this off? I can still create static dns records, which I am not opposed to.
10-23-2010 05:21 PM
Hi,
Here's what will happen with fixup for DNS:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm23/command/reference/df.html#wp1067379
What i would like to know what kind of packets are being dropped by the FWSM. What version are you running on the FWSM? You can apply captures on the FWSM and get them in a .pcap format.
https://supportforums.cisco.com/docs/DOC-1222
Let me know how it goes!!
Thanks and Regards,
Prapanch
10-24-2010 01:44 PM
Hello,
I wouldnt suggest you to leave it off. It is very important to have it on since they match the DNS packet against the RFC and assure that the packet is actually a dns packet. Otherwise many attacks can be leverage against your network,
You cant see any dns packets dropped on the show service-policy?
Let me know.
Mike
10-26-2010 09:33 AM
nope. However, this firewall is running a very old version. I know it needs upgraded, I am just waiting for a window of oppertunity to do so.
10-26-2010 09:34 AM
The other strange thing is that other servers, that are in different FWSM interfaces, are having no issue. It is only servers on this one interface. That is really what has me stumped.
10-26-2010 09:35 AM
Are they running the same OS? Sometimes the Inspection engines on the Firewalls get stuck, it would be a bad idea to reload the module just for testing purposes.
Cheers
Mike
10-28-2010 07:34 PM
They are running the Same OS. All servers are 2008 R2 Data Center. It really isn't too big of a concern. Creating static DNS records for these boxes is acceptable. I at least know what is causing the issue, I just don't know the why. I know I need to update the code so I may just work on doing that and then revisit the issue later on.
Thanks for all of the help.
10-28-2010 09:18 PM
Hello,
Ok, sounds great. Let us know how the upgrade of the code goes. If you want to continue troubleshooting, you can enable the logs at debugging level and check why the connection is being dropped and also set some captures and match them againts the other captures where the servers work.
It has been nice working with you, let us know how does it go.
Thanks!
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide