Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
807
Views
0
Helpful
3
Replies

Query regarding DNSSEC

ankurs2008
Level 1
Level 1

‎05-06-2010 03:44 AM - edited ‎03-11-2019 10:41 AM

Hi

i have read much about DNSSEC in this forum as well as other DNSSEC related sites . However i have a query as to what is the role of

message-length maximum server auto command . Please can anybody explain a practical scenario  Also , i have one example (please refer to attachment) .In this , if a packet is coming from Outside world towards firewall to a Public web server hosted in DMZ and consider that Public DNS Server too is also in DMZ Zone of a firewall and have public IP Address (consider there is no nat-control in FW) then what is the command suppose to be given under the "policy-map type inspect dns " .Can we specify "message-length maximum server auto" command over here or will it still work with "message-length maximum client auto " command . I have read that client or server is determined by firewall by looking into the "QR bit " in DNS Header . If QR =0 it is client , otherwise server . I also want to understand as to how firewall will differentiate between a Public DNS Server hosted at ISP or inside (say DMZ) of organization .

Labels:
Preview file
90 KB
0 Helpful
3 Replies 3

Panos Kampanakis
Cisco Employee
Cisco Employee

‎05-06-2010 10:46 AM

Both the requestor and responder can define the maximum DNS size in the EDNS packet. So if you use "client auto" then the ASA will adjust its allow dns size according to what the dns query says it can support. Though, the server could potentially say it supports up to certain size and that is where "server auto comes in.

Usually the client is the one that says "I support up to that" and the server just obeys so the "server auto" will not be used often.

I hope it helps.

PK

0 Helpful

ankurs2008
Level 1
Level 1
In response to Panos Kampanakis

‎05-08-2010 03:42 PM

Hi pkampana

thanks for the reply , does that means that even if DNS Server is in DMZ Zone and client is coming from Outside , client auto command will do the needful ? Also in case the server doesnot obey the client declared value , then how it can be brought to notice that it is doing so .Also please let me know what is the function of DO flag in the DNSSEC ?

0 Helpful

ankurs2008
Level 1
Level 1
In response to ankurs2008

‎05-10-2010 05:41 PM

Hi all / pkampana

Please reply to my below query

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card