Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
631
Views
0
Helpful
5
Replies

PIX 515 won't pass large DNS replies

tmadden
Level 1
Level 1

‎03-13-2003 11:06 PM - edited ‎02-20-2020 10:37 PM

I've discovered that I can't surf most of Yahoo.com because my PIX is blocking the DNS replies from Yahoo's DNS servers to my private DNS servers. Using packet monitoring software on both the public and private sides of the PIX, I can see the requests go out and the replies come back in, but most of those replies are bigger than 512 bytes and aren't passed through the PIX.

Cisco bug CSCds58726 says this:

Headline DOC: PIX drops DNS packets of sizes greater than 512 bytes

-- moderator edit --

-- moderator note: Cisco product bugs are viewable to Customers with a valid support contract using Bug Toolkit http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl

Does anyone else have this problem and does anyone know of a way around this? My company needs access to Yahoo financials and we can't get to most of them. I don't think I can use an external DNS server because I have a split DNS configuration.

I don't have a "Cisco Account Team", but I guess I can call my sales rep, whoever that is.

TIA

Tim

0 Helpful
5 Replies 5

smahbub
Level 6
Level 6

‎03-19-2003 01:41 PM

I had a look at the Bug too. or till support for RFC 2671 is incorporated in one of the later releases. In the meantime, what you could try is to explicitly permit all traffic from the yahoo DNS server. I guess that should give you a stop gap solution though you need to be vary of the security implications of doing this.

0 Helpful

tmadden
Level 1
Level 1
In response to smahbub

‎03-19-2003 02:04 PM

I already tried that, to no avail. Even allowing all IP from Yahoo's DNS wouldn't do it. I also looked at some way of manipulating a "fixup DNS" command, but nothing hit me like it might work.

BTW, it looks like a portion of your second sentence got chopped. Did we miss anything important?

0 Helpful

j.kougoulos
Level 4
Level 4

‎03-20-2003 10:26 AM

what is your internal dns server? (bind, ms, versions?)

I believe that if you are using BIND 9 you can specify "edns no" in configuration file , which will make it use the old way of getting long answers (reverting to TCP)

Regards,

John

0 Helpful

tmadden
Level 1
Level 1
In response to j.kougoulos

‎03-20-2003 11:05 AM

Ahh...that's one of the things I was hoping to hear, though I would have prefered the info related to BIND 8.x. Since you didn't mention it, I guess there's no equivalent for BIND 8.x? I looked for something along these lines in the documentation and O'Reilly's "DNS and BIND" but came up short.

I've downloaded BIND 9.2.2, but have yet to install/configure it.

0 Helpful

j.kougoulos
Level 4
Level 4
In response to tmadden

‎03-20-2003 11:49 PM

you didn't mention your exact BIND version though ....

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card