We use a PIX, but rather than change its config we chose this:
C:\dnscmd DNSSERVER/Config /EnableEDnsProbes 0

Much easier and DNS still "just works."

@@ron Smith

On Tue, 2006-08-29 at 15:13 -0400, Dave Piscitello wrote:
> Hi all,
>
> I am trying to understand how different firewalls behave when they
> receive a UDP datagram containing a DNS message that uses EDNS0 (RFC
> 2671) to support message sizes greater than the 512 maximum specified in
> RFC 1035 (original DNS).
>
> Specifically,
>
> - does your firewall block/silently discard such messages by default?
> - do you know the command to allow the message if blocked by default?
>
> I've found dozens of claims that firewalls don't handle EDNS0 correctly,
> but after a long search, I've only found URLs indicating that Firewall-1
> and Pix block by default and have workarounds.
>
> I'm curious whether SonicWall, Netscreen, Symantec, etc. behave
> similarly. I'd also be curious to learn the behavior of IPS devices and
> DNS proxies (Watchguard, WinProxy, etc).
>
> You can send replies directly to me and I'll compile responses and post
> to the list to save electrons.
>
> Thanks in advance,
>
> Dave
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailma...rewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards