Solved

DNS Fixup on a PIX

Posted on 2004-04-29
5
789 Views
Last Modified: 2008-01-09
All,

Is there any reason why I cant increase the DNSfixup size on a PIX to 1028 from 512, I heard that there is some security issues with spoofing. Is this really that much of a security consideration?

Thanks people
0
Comment
Question by:credmood
  • 2
  • 2
5 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10948360
This is something I've NEVER had to change.   Why would you want to allow a bigger DNS packet ?  Problems with long DNS names ??  This doubles the impact of any DNS related dDOS attack...  ;)
However, I wouldn't imagine that making much of a difference.  The limit is really designed so that people can't send you DNS packets with the max size of 65535 bytes, a lot of which would quickly swamp your systems (bit like a ping o' death with DNS).

There's more about DNS fixup here:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278b.html#wp1063720

As long as your DNS packet size doesn't go over your MTU size, things should work out fine.

0
 
LVL 4

Expert Comment

by:hawgpig
ID: 10955246
I agree with Tim...
The only reason to change your dns fixup is if you are running the new EDNS...
But, you can do it if you would like.....
0
 

Author Comment

by:credmood
ID: 11028675
Thanks people, sorry for the delay in replying, had a week off,

Yes we are running windows 2003 DNS server, which apparently uses EDNS, havent read up on EDNS, whats the score with that and why does it use  (sometimes) need over 512?
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 11030850
0
 

Author Comment

by:credmood
ID: 11039106
Thanks for your help Tim, increased fixup to 1028 and no longer have syslog telling me that it cant process dns queries over 512
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now