Folks,
Thanks to those of you who already sent me results from the DNS query,
which tests whether your firewall (and config) allow UDP-encapsulated
DNS response messages greater than 512 bytes (and also tests whether
your firewall/application proxy blocks AAAA records):
dig hk ns +bufsize=4096 @203.119.2.18
I'm gathering test results to help determine a "least impact" path to
introduce AAAA records of root name servers in the root hints and
initial (priming) response.
The first set of results are included below. There were many duplicates
for the popular firewalls and versions.
I am still looking to expand this table with firewall products from
Symantec, Cyberguard, Lucent, Barricade, TopLayer, SteelGate, HotBrick,
InGate, et. al.
If you run a firewall that is not yet on this list, would be willing to
try the dig and send me the result/output as well as the firewall,
version, and any unique policy you configured to allow the response to
pass, I would be extremely grateful. I will not be associating nor
publishing any company or personal information with the results (what
you see in the table below is essentially what will be published).
---------------------------------------------------
Product Version Action when AAAA Action when DNS
RR encountered response > 512
Juniper/
Netscreen 5.4r2
5.30r3
4.0.3r4.0 Allow Allow
Sonicwall 3.1.0.7-77s Allow Allow
Cisco PIX 7.2.1 Allow Allow
Cisco PIX 6.2.5 Allow Deny
Cisco PIX 6.3.5 Allow Allow**1
Cisco C2600 IOS 12.2(37) Allow Allow
Watchguard
Firebox X 1000 Fireware v8.2 Allow Allow
Secure Computing
Sidewinder 5.2.1,
6.1.2.00 Allow Allow
Fortinet
Fortigate 60 3.0.x Allow Allow
Checkpoint
Firewall-1 NG, R55 Allow Allow
**1 Firewall configuration includes "fixup protocol dns maximum-length
1500".
dave.vcf
Description: Vcard
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
|