In PIX versions 6.3.2 and below you had to do:
fixup protocol dns maximum-length 4096
In later versions you need:
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096
or to increase the response size length:
policy-map global_policy
class inspection_default
inspect dns maximum-length 4096
This is rumor and innuendo, I personally believe that:
a: firewalls with ALGs are the devil
b: this goes double for PIX / ASA and
c: doubled again for putting them in front of servers, especially DNS
servers....
W
On Feb 23, 2011, at 1:13 PM, Ryan Novosielski wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A couple more gems:
https://www.dnssec-deployment.org/wp-content/uploads/2010/03/DNSSEC-CPE-Report.pdf
(really anything at dnssec-deployment.org)
There was another table that I found someplace and cannot find now
that
listed Cisco PIX and mentioned with a * the subtle difference between
versions of that firewall firmware. I can't find that table anywhere
--
was HTML, not in a PDF.
On 02/23/2011 11:39 AM, Ryan Novosielski wrote:
Take a look at this. It is somewhat confusing, but it is helpful and
should tell you right away if you definitely have a firewall issue
(and
frankly there's little else it could be).
https://www.dns-oarc.net/oarc/services/replysizetest
On 02/23/2011 11:15 AM, Shaoquan Lin wrote:
Thanks, Mark,
Last June I asked our firewall person to make sure our firewall not
blocking DNS packets over 512 bytes. He told me our firewall was
not
blocking. I guess that might be some default setting of the
firewall
and he does not really know. I did two digs here one with +dnssec
and
one without. I got the the following:
1) with +dnssec :
; <<>> DiG 9.6.1-P3 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net
+dnssec
;; global options: +cmd
;; connection timed out; no servers could be reached
2) without +dnssec :
; <<>> DiG 9.6.1-P3 <<>> +norec vwall4a.nyc.gov @b.gov-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2024
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;vwall4a.nyc.gov. IN A
;; AUTHORITY SECTION:
nyc.gov. 86400 IN NS vwall1a.nyc.gov.
nyc.gov. 86400 IN NS vwall2a.nyc.gov.
nyc.gov. 86400 IN NS vwall3a.nyc.gov.
nyc.gov. 86400 IN NS vwall4a.nyc.gov.
;; ADDITIONAL SECTION:
vwall1a.nyc.gov. 86400 IN A 161.185.1.3
vwall2a.nyc.gov. 86400 IN A 161.185.1.12
vwall3a.nyc.gov. 86400 IN A 167.153.130.12
vwall4a.nyc.gov. 86400 IN A 167.153.130.13
;; Query time: 31 msec
;; SERVER: 209.112.123.30#53(209.112.123.30)
;; WHEN: Wed Feb 23 11:12:48 2011
;; MSG SIZE rcvd: 192
Does this show we do have a firewall problem here?
Shaoquan Lin
Mark Andrews wrote:
In message <0539E64AD2B54AD2804C2394F923800B@se179>, "Shaoquan Lin"
writes:
Mark,
Are these bugs (2784 and 1804) fixed by BIND 9.6.1-P3? My
problem is
that I
can not get A records of NSs (like vwall4a.nyc.gov) of nyc.gov
from
b.gov-servers.net by BIND 9.6.1-P3 but with no problem with older
BINDs like
9.3. I don't know if the problem is with the authoritative
nameservers for gov or the nameservers for nyc.gov or with the
BIND I
am using. I noticed the following:
Just fix your firewalls to allow EDNS responses through. While
this is a bug in the authoritative servers / interpretation of
RFC 1034, its only a issue because your firewall configuration
is a decade out of date that it is a problem.
1). a.gov-servers.net or b.gov-servers.net does provide A
records
in the additional records of their responses for other subdomain
under gov like treas.gov, just not nyc.gov. So the problem seems
with nameservers for nyc.gov. The problem is relatively new and
there might be some recent changes on nyc.gov.
The gov servers will return glue if you let bigger answers than
512 bytes
through your firewall.
; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec vwall4a.nyc.gov
@b.gov-servers.net +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50028
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;vwall4a.nyc.gov. IN A
;; AUTHORITY SECTION:
nyc.gov. 86400 IN NS vwall1a.nyc.gov.
nyc.gov. 86400 IN NS vwall2a.nyc.gov.
nyc.gov. 86400 IN NS vwall3a.nyc.gov.
nyc.gov. 86400 IN NS vwall4a.nyc.gov.
rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN NSEC3 1 0 8
4C44934802D3 RQDJO8PKJ2LEUMC30SGU45DDI643G497 NS
rq2651faaj4nen6tfis8ju5005qccn8j.gov. 86400 IN RRSIG NSEC3 7 2
86400
20110227210022 20110222210022 47602 gov.
ENl60LTdlJfmyDp9wrwh6bQao8TvqTk8hX4qD6x4bHGBixjsGhOy/si8
JVUl1MbeJ1PaJ3p59/ABFUv7ApOh5v6eflzhsBa6EalBrYCC5HpOabJn
Q2r0RFqDvUb1Qo921cnbC+3Bh37i3DVTbK+poYpIkbpJAxOE+/zp/PrA
1L0v2kuS9t6gHLk+ZzfsQI6Gi9Ezg2VZIhVXGz06a7EzyGy2BZ/Plz4u
In2Dj5ncwAlAi9dC6xiQTW2yRmVSQoXzNZKUcZO+E0mPKPR9DcNVotX9
CzTbrOyKNtYrrV6GNslN5qicuHIehriQIMPdXs3/e2ZhB3h944kpymqL ag3tCg==
;; ADDITIONAL SECTION:
vwall1a.nyc.gov. 86400 IN A 161.185.1.3
vwall2a.nyc.gov. 86400 IN A 161.185.1.12
vwall3a.nyc.gov. 86400 IN A 167.153.130.12
vwall4a.nyc.gov. 86400 IN A 167.153.130.13
;; Query time: 187 msec
;; SERVER: 209.112.123.30#53(209.112.123.30)
;; WHEN: Wed Feb 23 11:54:06 2011
;; MSG SIZE rcvd: 574
2) Older version of Binds (like 9.3) seems able to resolve
vwall4a.nyc.gov as shown the packets I captured in my previous e-
mail.
What options in named.conf I can use to set "tc"?
Thank you.
Shaoquan Lin
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
- --
- ---- _ _ _ _ ___ _ _ _
|Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922
(2-0922)
\__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1lTjMACgkQmb+gadEcsb5KSwCeJKU5Z7SXoRMJH53u1dGt8jj1
AF4AoKWOkg6gcc9Ng4kAmebcIHv+XAIF
=deXw
-----END PGP SIGNATURE-----
<novosirj.vcf>_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users