In PIX versions 6.3.2 and below you had to do:
fixup protocol dns maximum-length 4096

In later versions you need:

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096

or to increase the response size length:

policy-map global_policy
class inspection_default
inspect dns maximum-length 4096


This is rumor and innuendo, I personally believe that:
a: firewalls with ALGs are the devil
b: this goes double for PIX / ASA and
c: doubled again for putting them in front of servers, especially DNS servers....

W

On Feb 23, 2011, at 1:13 PM, Ryan Novosielski wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A couple more gems:
https://www.dnssec-deployment.org/wp-content/uploads/2010/03/DNSSEC-CPE-Report.pdf

(really anything at dnssec-deployment.org)

There was another table that I found someplace and cannot find now that
listed Cisco PIX and mentioned with a * the subtle difference between
versions of that firewall firmware. I can't find that table anywhere --
was HTML, not in a PDF.

On 02/23/2011 11:39 AM, Ryan Novosielski wrote:
Take a look at this. It is somewhat confusing, but it is helpful and
should tell you right away if you definitely have a firewall issue (and
frankly there's little else it could be).

https://www.dns-oarc.net/oarc/services/replysizetest

On 02/23/2011 11:15 AM, Shaoquan Lin wrote:
Thanks, Mark,

Last June I asked our firewall person to make sure our firewall not
blocking DNS packets over 512 bytes. He told me our firewall was not blocking. I guess that might be some default setting of the firewall and he does not really know. I did two digs here one with +dnssec and
one without.  I got the the following:

1) with +dnssec :
; <<>> DiG 9.6.1-P3 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net +dnssec
;; global options: +cmd
;; connection timed out; no servers could be reached

2) without +dnssec :
; <<>> DiG 9.6.1-P3 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2024
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;vwall4a.nyc.gov.               IN      A

;; AUTHORITY SECTION:
nyc.gov.                86400   IN      NS      vwall1a.nyc.gov.
nyc.gov.                86400   IN      NS      vwall2a.nyc.gov.
nyc.gov.                86400   IN      NS      vwall3a.nyc.gov.
nyc.gov.                86400   IN      NS      vwall4a.nyc.gov.

;; ADDITIONAL SECTION:
vwall1a.nyc.gov.        86400   IN      A       161.185.1.3
vwall2a.nyc.gov.        86400   IN      A       161.185.1.12
vwall3a.nyc.gov.        86400   IN      A       167.153.130.12
vwall4a.nyc.gov.        86400   IN      A       167.153.130.13

;; Query time: 31 msec
;; SERVER: 209.112.123.30#53(209.112.123.30)
;; WHEN: Wed Feb 23 11:12:48 2011
;; MSG SIZE  rcvd: 192

Does this show we do have a firewall problem here?

Shaoquan Lin

Mark Andrews wrote:
In message <0539E64AD2B54AD2804C2394F923800B@se179>, "Shaoquan Lin"
writes:

Mark,

Are these bugs (2784 and 1804) fixed by BIND 9.6.1-P3? My problem is
that I
can not get A records of NSs (like vwall4a.nyc.gov) of nyc.gov from
b.gov-servers.net by BIND 9.6.1-P3 but with no problem with older
BINDs like
9.3.  I don't know if the problem is with the authoritative
nameservers for gov or the nameservers for nyc.gov or with the BIND I
am using.  I noticed the following:


Just fix your firewalls to allow EDNS responses through.  While
this is a bug in the authoritative servers / interpretation of
RFC 1034, its only a issue because your firewall configuration
is a decade out of date that it is a problem.


1). a.gov-servers.net or b.gov-servers.net does provide A records
in the additional records of their responses for other subdomain
under gov like treas.gov, just not nyc.gov.  So the problem seems
with nameservers for nyc.gov.  The problem is relatively new and
there might be some recent changes on nyc.gov.


The gov servers will return glue if you let bigger answers than 512 bytes
through your firewall.

; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec vwall4a.nyc.gov
@b.gov-servers.net +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50028
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;vwall4a.nyc.gov.        IN    A

;; AUTHORITY SECTION:
nyc.gov.        86400    IN    NS    vwall1a.nyc.gov.
nyc.gov.        86400    IN    NS    vwall2a.nyc.gov.
nyc.gov.        86400    IN    NS    vwall3a.nyc.gov.
nyc.gov.        86400    IN    NS    vwall4a.nyc.gov.
rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN NSEC3 1 0 8
4C44934802D3 RQDJO8PKJ2LEUMC30SGU45DDI643G497 NS
rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN RRSIG NSEC3 7 2 86400
20110227210022 20110222210022 47602 gov.
ENl60LTdlJfmyDp9wrwh6bQao8TvqTk8hX4qD6x4bHGBixjsGhOy/si8
JVUl1MbeJ1PaJ3p59/ABFUv7ApOh5v6eflzhsBa6EalBrYCC5HpOabJn
Q2r0RFqDvUb1Qo921cnbC+3Bh37i3DVTbK+poYpIkbpJAxOE+/zp/PrA
1L0v2kuS9t6gHLk+ZzfsQI6Gi9Ezg2VZIhVXGz06a7EzyGy2BZ/Plz4u
In2Dj5ncwAlAi9dC6xiQTW2yRmVSQoXzNZKUcZO+E0mPKPR9DcNVotX9
CzTbrOyKNtYrrV6GNslN5qicuHIehriQIMPdXs3/e2ZhB3h944kpymqL ag3tCg==

;; ADDITIONAL SECTION:
vwall1a.nyc.gov.    86400    IN    A    161.185.1.3
vwall2a.nyc.gov.    86400    IN    A    161.185.1.12
vwall3a.nyc.gov.    86400    IN    A    167.153.130.12
vwall4a.nyc.gov.    86400    IN    A    167.153.130.13

;; Query time: 187 msec
;; SERVER: 209.112.123.30#53(209.112.123.30)
;; WHEN: Wed Feb 23 11:54:06 2011
;; MSG SIZE  rcvd: 574


2) Older version of Binds (like 9.3) seems able to resolve
vwall4a.nyc.gov as shown the packets I captured in my previous e- mail.

What options in named.conf I can use to set "tc"?

Thank you.

Shaoquan Lin





_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


- --
- ---- _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1lTjMACgkQmb+gadEcsb5KSwCeJKU5Z7SXoRMJH53u1dGt8jj1
AF4AoKWOkg6gcc9Ng4kAmebcIHv+XAIF
=deXw
-----END PGP SIGNATURE-----
<novosirj.vcf>_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to