Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
819
Views
7
Helpful
4
Replies

PIX blocks Windows Server 2003 EDNS0(DNS) replies.

swbruce21
Level 1
Level 1

‎05-01-2005 04:07 AM - edited ‎02-21-2020 12:07 AM

PIX Firewall earlier than version 6.3(2) block dns query responses if query comes from Server 2003 and the external DNS server supports EDNSO. Microsoft's workaround of disabling DNS-Probes did not solve the problem. Short of updating the IOS is there a way to change the DNS-UDP packet size limit that is currently set on PIX? . . or some other solution ?

0 Helpful
4 Replies 4

mhussein
Level 4
Level 4

‎05-01-2005 10:34 AM

In PIX OS 6.3, it is possible to change the maximum DNS packet length using "fixup protocol" command:

fixup protocol dns maximum-length

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1067379

Or disabling dns fixup altogether (no fixup protocol dns)

I don't think there is any workaround with OS 6.2 and earlier, since the "DNS Guard" feature is hard-coded with no knobs for tweaking.

These threads are related to the same issue:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd75208

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd7c059

HTH,

Mustafa

swbruce21
Level 1
Level 1
In response to mhussein

‎05-02-2005 11:00 AM

Thanks, I mentioned in my question that I had disabled dns probes. I found some newsgroups that indicated that in some case the problem would persist as it had in mine. I am glad it solve your problem.

0 Helpful

swbruce21
Level 1
Level 1
In response to mhussein

‎05-02-2005 11:17 AM

Thank You - very helpful

0 Helpful

sweaver
Level 1
Level 1

‎05-02-2005 06:34 AM

I had the same problem and resolved it back in November using this procedure. Make sure you do it on BDC also. Stop/Restart DNS service or reboot domain controllers.

For those customers using the Microsoft Windows 2003 Server's DNS

application, you must first install the dnscmd.exe command-line tool

from the Microsft Windows 2003 Server CD-ROM's Support Tools. Once

this is installed, open a DOS command prompt window and type:

dnscmd /config /enableednsprobes 0

This will turn off EDNS.

If at a future time the customer upgrades their firewall application

to support EDNS, running "dnscmd /config /enableednsprobes 1" will

turn EDNS back on.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card