topic Re: ios firewall DNSSEC in Network Security

ios firewall DNSSEC

ROBERTO TACCON — Mon, 11 Mar 2019 17:33:29 GMT

Hi,

as recent increases in DNSSEC deployment are exposing problems with DNS resolvers that cannot receive large responses:

WHICH ARE THE CONFIGURATION OPTION AVAILABLE FOR DNS ON CISCO IOS FIREWALL and IOS ZONE BASED FIREWALL ?

The maximim reply size between a DNS server and resolver may be limited by a number of factors:

- If a resolver does not support the Extension Mechanisms for DNS (EDNS), replies are limited to 512 bytes.

- The resolver may be behind a firewall that blocks IP fragments.

- Some DNS-aware firewalls block responses larger than 512 bytes.

DNSSEC responses may not fit into one 512-byte UDP packet. When UDP queries fail, clients may revert automatically to TCP. Where both TCP and EDNS0 are not supported, DNS queries on signed domains may fail.

* SOLUTIONS

** JUNIPER

SCREENOS

This setting is enforced by Deep Inspection and can be changed with the following command:

set di service dns udp_message_limit 512 - 4096

The default size is 512

* CISCO

PIX / ASA / FWSM

http://www.cisco.com/web/about/security/intelligence/dns-bcp.html#5

DNS message size limitations:
DNS amplification and reflection attacks are more effective when leveraging large DNS messages than small DNS message sizes. The message-length parameters submode command for policy-map type inspect dns can be used to ensure that message sizes to not exceed a specified size thus reducing the efficiency of these attacks.

This feature is available beginning with software release 7.2(1) for Cisco ASA and Cisco PIX Firewalls. This feature is available beginning with software release 3.1 for FWSM Firewalls. This function is enabled by default with a limit of 512 bytes.

For example, in earlier versions of PIX (6.3.2 and below), you had to manually configure the DNS fixup to permit DNS packets with the longer length :

fixup protocol dns maximum-length 4096

in more recent versions, it would be covered by :

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096

or to increase the response size length:

policy-map global_policy
class inspection_default
inspect dns maximum-length 4096

Regards

Roberto Taccon

Re: ios firewall DNSSEC

Panos Kampanakis — Fri, 16 Apr 2010 22:27:07 GMT

IOS (CBAC or ZBF) dns inspection will not drop DNSSec packets.

So, it will not break DNSSec.

Re: ios firewall DNSSEC

ROBERTO TACCON — Sun, 18 Apr 2010 12:25:57 GMT

Hi,

as it's not supported can you confirm if with IOS firewall and IOS ZBF the DNS packets are limit by "message-length maximum 512" bytes ?

Thanks

Roberto Taccon

Re: ios firewall DNSSEC

andyirving — Wed, 21 Apr 2010 13:48:11 GMT

I have the following default config on my ASA version 8.2(2).

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map netflow-policy
class netflow-export-class
flow-export event-type all destination ITL01-FMSDEMO
policy-map global_policy
description Netflow
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp

As can be seen the maximum length is 512 bytes, however if I dig an EDNS server I confirm I get much more than 512 bytes!

From my PC running dig

c:\dig> dig @158.43.128.1 +short rs.dns-oarc.net txt

rst.x3827.rs.dns-oarc.net.

rst.x3837.x3827.rs.dns-oarc.net.

rst.x3843.x3837.x3827.rs.dns-oarc.net.

"62.189.58.236 DNS reply size limit is at least 3843"

"62.189.58.236 sent EDNS buffer size 4096"

"Tested at 2010-04-21 13:44:22 UTC"

So current ASAs you do not need to change the configuration at all, the policy-map is just for DNS not EDNS that DNSSEC uses.

Re: ios firewall DNSSEC

ROBERTO TACCON — Wed, 21 Apr 2010 14:07:00 GMT

Hi,

can you paste the output of "show service-policy inspect dns" ?

http://www.cisco.com/web/about/security/intelligence/dns-bcp.html#5

- Are there someone @Cisco that can tell us if the ASA is aware about the EDNS (from which version) ?

- Are there someone @Cisco that can tell us if the IOS FIREWALL and IOS ZONE BASED FIREWALL is aware about the EDNS (from which version) ?

Thanks to all.

Roberto Taccon

Re: ios firewall DNSSEC

andyirving — Wed, 21 Apr 2010 14:34:19 GMT

show service-policy inspect dns

Global policy:
Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 1706599, drop 3746, reset-drop 0
        message-length maximum 512, drop 0
        dns-guard, count 560373
        protocol-enforcement, drop 0
        nat-rewrite, count 0

Re: ios firewall DNSSEC

ROBERTO TACCON — Wed, 21 Apr 2010 14:56:39 GMT

Hi to All,

- Are there someone @Cisco that can tell us if the ASA is aware about the EDNS (from which version) ?

- Are there someone @Cisco that can tell us if the IOS FIREWALL and IOS ZONE BASED FIREWALL is aware about the EDNS (from which version) ?

- or open a TAC case and ask ...

Regards

Roberto Taccon