credmood
asked on
DNS Fixup on a PIX
All,
Is there any reason why I cant increase the DNSfixup size on a PIX to 1028 from 512, I heard that there is some security issues with spoofing. Is this really that much of a security consideration?
Thanks people
Is there any reason why I cant increase the DNSfixup size on a PIX to 1028 from 512, I heard that there is some security issues with spoofing. Is this really that much of a security consideration?
Thanks people
I agree with Tim...
The only reason to change your dns fixup is if you are running the new EDNS...
But, you can do it if you would like.....
The only reason to change your dns fixup is if you are running the new EDNS...
But, you can do it if you would like.....
ASKER
Thanks people, sorry for the delay in replying, had a week off,
Yes we are running windows 2003 DNS server, which apparently uses EDNS, havent read up on EDNS, whats the score with that and why does it use (sometimes) need over 512?
Yes we are running windows 2003 DNS server, which apparently uses EDNS, havent read up on EDNS, whats the score with that and why does it use (sometimes) need over 512?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help Tim, increased fixup to 1028 and no longer have syslog telling me that it cant process dns queries over 512
However, I wouldn't imagine that making much of a difference. The limit is really designed so that people can't send you DNS packets with the max size of 65535 bytes, a lot of which would quickly swamp your systems (bit like a ping o' death with DNS).
There's more about DNS fixup here:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278b.html#wp1063720
As long as your DNS packet size doesn't go over your MTU size, things should work out fine.