Got an interesting scenerio. I have a DMZ that has some public facing serves that are a part of a windows domain. We are trying to get these machines to register dns records dynamically.
Long story short, we found that when the fixup DNS is enabled, they don't register, but when we disable fixup for DNS, they register just fine.
I tried lengthening the maximum length to the very max and still got nothing.
Now, I don't mind creating static DNS records for these servers, that is not a big deal.... what I am wondering is what kind of security risk is there to have fixup for DNS disabled?
Mike here, when you say fixup it makes me think that you are using Pix version 6.3 is that correct? Would you pleae take the logs when the Server is trying to register and when the firewall drops the packet?
I have a FWSM and it doesn't show that the firewall drops the packet. The only hint I had was a DNS error on the server. If I disable fixup for DNS, everything is fine. Now, my main question is what is the security risk of turning this off? I can still create static dns records, which I am not opposed to.
Here's what will happen with fixup for DNS:
What i would like to know what kind of packets are being dropped by the FWSM. What version are you running on the FWSM? You can apply captures on the FWSM and get them in a .pcap format.
Let me know how it goes!!
Thanks and Regards,
I wouldnt suggest you to leave it off. It is very important to have it on since they match the DNS packet against the RFC and assure that the packet is actually a dns packet. Otherwise many attacks can be leverage against your network,
You cant see any dns packets dropped on the show service-policy?
Let me know.
nope. However, this firewall is running a very old version. I know it needs upgraded, I am just waiting for a window of oppertunity to do so.
The other strange thing is that other servers, that are in different FWSM interfaces, are having no issue. It is only servers on this one interface. That is really what has me stumped.
Are they running the same OS? Sometimes the Inspection engines on the Firewalls get stuck, it would be a bad idea to reload the module just for testing purposes.
They are running the Same OS. All servers are 2008 R2 Data Center. It really isn't too big of a concern. Creating static DNS records for these boxes is acceptable. I at least know what is causing the issue, I just don't know the why. I know I need to update the code so I may just work on doing that and then revisit the issue later on.
Thanks for all of the help.
Ok, sounds great. Let us know how the upgrade of the code goes. If you want to continue troubleshooting, you can enable the logs at debugging level and check why the connection is being dropped and also set some captures and match them againts the other captures where the servers work.
It has been nice working with you, let us know how does it go.