05-01-2005 04:07 AM - edited 02-21-2020 12:07 AM
PIX Firewall earlier than version 6.3(2) block dns query responses if query comes from Server 2003 and the external DNS server supports EDNSO. Microsoft's workaround of disabling DNS-Probes did not solve the problem. Short of updating the IOS is there a way to change the DNS-UDP packet size limit that is currently set on PIX? . . or some other solution ?
05-01-2005 10:34 AM
In PIX OS 6.3, it is possible to change the maximum DNS packet length using "fixup protocol" command:
fixup protocol dns maximum-length
Or disabling dns fixup altogether (no fixup protocol dns)
I don't think there is any workaround with OS 6.2 and earlier, since the "DNS Guard" feature is hard-coded with no knobs for tweaking.
These threads are related to the same issue:
HTH,
Mustafa
05-02-2005 11:00 AM
Thanks, I mentioned in my question that I had disabled dns probes. I found some newsgroups that indicated that in some case the problem would persist as it had in mine. I am glad it solve your problem.
05-02-2005 11:17 AM
Thank You - very helpful
05-02-2005 06:34 AM
I had the same problem and resolved it back in November using this procedure. Make sure you do it on BDC also. Stop/Restart DNS service or reboot domain controllers.
For those customers using the Microsoft Windows 2003 Server's DNS
application, you must first install the dnscmd.exe command-line tool
from the Microsft Windows 2003 Server CD-ROM's Support Tools. Once
this is installed, open a DOS command prompt window and type:
dnscmd /config /enableednsprobes 0
This will turn off EDNS.
If at a future time the customer upgrades their firewall application
to support EDNS, running "dnscmd /config /enableednsprobes 1" will
turn EDNS back on.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide