Re: [fw-wiz] How does your firewall handle DNS messages >
We use a PIX, but rather than change its config we chose this:
C:\dnscmd DNSSERVER/Config /EnableEDnsProbes 0
Much easier and DNS still "just works."
On Tue, 2006-08-29 at 15:13 -0400, Dave Piscitello wrote:[color=blue]
> Hi all,
> I am trying to understand how different firewalls behave when they
> receive a UDP datagram containing a DNS message that uses EDNS0 (RFC
> 2671) to support message sizes greater than the 512 maximum specified in
> RFC 1035 (original DNS).
> - does your firewall block/silently discard such messages by default?
> - do you know the command to allow the message if blocked by default?
> I've found dozens of claims that firewalls don't handle EDNS0 correctly,
> but after a long search, I've only found URLs indicating that Firewall-1
> and Pix block by default and have workarounds.
> I'm curious whether SonicWall, Netscreen, Symantec, etc. behave
> similarly. I'd also be curious to learn the behavior of IPS devices and
> DNS proxies (Watchguard, WinProxy, etc).
> You can send replies directly to me and I'll compile responses and post
> to the list to save electrons.
> Thanks in advance,
> firewall-wizards mailing list
firewall-wizards mailing list