Solved: udp associated with DNS queries

hyperknowledge · ‎07-26-2005

I am trying to transfer the IP table rules to PIX501 firewall access list.

In our IP table rules, we set up udp rules to protest DNS:

$IPTABLES -A udp_chains -p udp -d 158.152.1.13 --dport 53 -m state --state NEW -j ACCEPT

$IPTABLES -A udp_chains -p udp -s 158.152.1.13 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

But when I try to set up the same rule in PIX firewall, I can't find any syntax I can use to specified the status. Is it possible to do so in PIX?

Also, I noticed PIX firewall act like a Domain Name System (DNS) Guard. It seems the firewall will automatically handle udp associated withe DNS queries. Is it means I don't need to set up those rules I mentioned above at all?

jmia · ‎07-26-2005

Hi,

The Cisco PIX has a built in DNS guard, so no you will not need to configure your IP chains.

DNS Guard :

DNS Guard identifies an outbound DNS query request and allows only a single DNS response back to the sender. A host may query several servers for a response in case the first server is slow in responding; however, only the first answer to the specific question will be allowed back in. All the additional answers from other servers are dropped. After the client issues a DNS request, a dynamic translation allows UDP packets to return from the DNS server. The default UDP timer expires in two minutes. Because DNS is frequently attacked, leaving the translation open for two minutes creates an unnecessary risk. DNS Guard is enabled by default and cannot be configured or disabled. DNS Guard performs the following actions:

Automatically tears down the UDP translation on the PIX Firewall as soon as the DNS response is received. It doesn't wait for the default UDP timer to close the session.

Prevents against UDP session hijacking and denial of service (DoS) attacks.

The PIX does not handle IP chain rules, you'll need to configure ACL's.

Hope this helps and if it does please rate post.

View solution in original post

jmia · ‎07-26-2005

Hi,

The Cisco PIX has a built in DNS guard, so no you will not need to configure your IP chains.

DNS Guard :

DNS Guard identifies an outbound DNS query request and allows only a single DNS response back to the sender. A host may query several servers for a response in case the first server is slow in responding; however, only the first answer to the specific question will be allowed back in. All the additional answers from other servers are dropped. After the client issues a DNS request, a dynamic translation allows UDP packets to return from the DNS server. The default UDP timer expires in two minutes. Because DNS is frequently attacked, leaving the translation open for two minutes creates an unnecessary risk. DNS Guard is enabled by default and cannot be configured or disabled. DNS Guard performs the following actions:

Automatically tears down the UDP translation on the PIX Firewall as soon as the DNS response is received. It doesn't wait for the default UDP timer to close the session.

Prevents against UDP session hijacking and denial of service (DoS) attacks.

The PIX does not handle IP chain rules, you'll need to configure ACL's.

Hope this helps and if it does please rate post.