FirewallWizards
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [fw-wiz] Help

from [Utz, Ralph] [Permanent Link][Original]
To: <dave@corecom.com>, "Firewall Wizards Security Mailing List" <firewall-wizards@listserv.icsalabs.com>
Subject: Re: [fw-wiz] Help
From: "Utz, Ralph" <rutz@realtime-it.com>
Date: Wed, 15 Nov 2006 08:26:30 -0600
Delivered-to: sp-com-lists@consult.net
Delivered-to: fwwizards-list2@consult.net
Delivered-to: firewall-wizards@listserv.icsalabs.com
In-reply-to: <455B0741.6010205@corecom.com>
List-archive: <https://listserv.icsalabs.com/pipermail/firewall-wizards>
List-help: <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=help>
List-id: Firewall Wizards Security Mailing List <firewall-wizards.listserv.icsalabs.com>
List-post: <mailto:firewall-wizards@listserv.icsalabs.com>
List-subscribe: <https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards>, <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=subscribe>
List-unsubscribe: <https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards>, <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=unsubscribe>
Reply-to: Firewall Wizards Security Mailing List <firewall-wizards@listserv.icsalabs.com>
Sender: firewall-wizards-bounces@listserv.icsalabs.com
Thread-index: AccIwQ9hUKcOQQXmS5qpZ7xlA4PwxQAAG2mg
Thread-topic: [fw-wiz] Help 
I haven't run your test, but I have delt with this problem on a
consulting basis in the past.  Here's some info: PIX 6.3.5 and below
block any DNS packet larger than 512 by default.  When EDNS forces a
packet larger than 512 the firewall will drop the packet.  In Windows
installations I've seen this cause the DNS service to hang and stop
responding to requests.  The PIX can be configured to allow larger DNS
packets.  

-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of
Dave Piscitello
Sent: Wednesday, November 15, 2006 6:26 AM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] Help

Can I ask some of you who live behind commercial firewalls to do the 
following DNS dig for a small study I would like to conduct?

dig hk ns +bufsize=4096 @203.119.2.18 > <file>

If you could tell me the OS you used to dig, the firewall between your 
resolver and the name server and if you know, the firewall SW version, 
you'd really make my day. BTW, if you don't get an answer, that is a 
very useful data point.

I am trying to gather some anecdotal evidence regarding how firewalls 
deal with EDNS0 responses (esp. DNS messages > 512) and AAAA records.

I have results for
Netscreen (ScreenOS V5.30r3, 4.0.3r4.0)
Sonicwall (SonicOS Standard 3.1.0.7-77s)
Cisco PIX version 7.2.1
Cisco C2600 IOS 12.2(37)
Watchguard FBX1000 (Fireware v8.2)

I could really use some data from current and previous versions of 
Checkpoint, Symantec, Sidewinder, Fortinet to help fill out the "market 
share tested" pie chart.




The information in this email and in any attachments is confidential and may be 
privileged. 
If you are not the intended recipient, please destroy this message, delete any 
copies held 
on your systems and notify the sender immediately. You should not retain, copy, 
or use this 
email for any purpose, and any review or other use of this information by 
persons or 
entities other than the intended recipient or any retransmission without the 
written consent 
of the sender is expressly prohibited.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [fw-wiz] firewalls and routers, Paul D. Robertson
Next by Date:  Re: [fw-wiz] firewalls and routers, Horvath, Kevin M.
Previous by Thread:  [fw-wiz] Help, Dave Piscitello
Next by Thread:  Re: [fw-wiz] Help, Aaron Smith
Indexes:  [Date] [Thread] [Top] [All Lists]