PIX configuration: fixup protocol dns - Max size/Risks?
Some months ago I had users complaining they couldn't access www.yahoo.com and other Yahoo! related sites. After some investigation I found syslog error messages from our PIX525 running 6.3(3) indicating DNS lookups were being denied because the return packets exceeded 512 bytes. The denied messages indicated the packets were 528 bytes. I reconfigured the PIX to "fixup protocol dns maximum-length 528" and everything started working.
Well, yesterday they started having the issue again. I found no syslog error messages this time. I did see messages between our DNS server and the Yahoo! name servers, but the packet size was only 50 bytes. Through testing I found if I increased the dns maximum-length to 580 it starts to work.
What are the security risks associated with increasing the dns maximum-length? Is there a maximum value I need to remain under? In reading RFC 2671, it states "Choosing 1280 on an Ethernet connected requestor would be reasonable". To avoid issues in the future, should I just use the RFC mentioned value and set the dns maximum-lenght to 1280? Thanks!
Re: PIX configuration: fixup protocol dns - Max size/Risks?
The fixup protocol dns command specifies the maximum DNS packet length. I cant imagine how increasinf the length from 528 to 1280 will suddenly start allowing 50 byte packets. If I were you, I would start looking deeper. Also, does the 50 byte packet size not look unusually small?
Windows 2003 supports so called EDNS-0. This extension to DNS allows requests larger than 484 bytes (512 byte packet) to be transported in UDP DNS packets.
The PIX firewall does not allow this type of traffic by default, as it is classified an anomaly.
There are two solutions to this problem:
(1) On the Windows 2003 machine which is sending out the DNS packets, you can run dnscmd /Config /EnableEDnsProbes 0. This will make sure that this machine uses TCP for its 484+ byte DNS queries. (You will need the Windows support tools for this - suptools.msi)
(2) On the PIX firewall, change the DNS inspection configuration by running "fixup protocol dns maximum-length 1500". This will allow UDP DNS query packets of up to 1500 bytes. Do keep in mind that, when using non-ethernet network infrastructure, the EDNS0 limit is actually 4096 bytes, so you may need a higher value.
Thanks to Maarten Van Horenbeeck that published that on the Security focus newsgroup.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...