DNS problems to RoadRunner - tcp vs udp

• Previous message (by thread): DNS problems to RoadRunner - tcp vs udp
• Next message (by thread): DNS problems to RoadRunner - tcp vs udp
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Justin Shore wrote:
> Jon Kibler wrote:
>> Various hardening documents for Cisco routers specify the best practices
>> are to only allow 53/tcp connections to/from secondary name servers.
>> Plus, from all I can tell, Cisco's 'ip inspect dns' CBAC appears to only
>> handle UDP data connections and anything TCP would be denied. From what
>> you are saying, the hardening recommendations are wrong and that CBAC
>> may break some DNS responses. Is this correct?
> 
> A number of Cisco default from years gone by would break DSN, today, in 
> it's current form.  Such as how PIXs and ASAs with fixup/DPI would block 
>  udp/53 packets larger than 512 bytes, not permitting EDNS packets through.

Thunderbird apparently thought that I was ready to send my message 
before I did.  I was going to add some ASA config as an example.

policy-map type inspect dns migrated_dns_map_1
  parameters
   message-length maximum 2048

I don't have an IOS CBAC example but there's surely something similar.


Justin

• Previous message (by thread): DNS problems to RoadRunner - tcp vs udp
• Next message (by thread): DNS problems to RoadRunner - tcp vs udp
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]