Justin Shore wrote:
Jon Kibler wrote:
Various hardening documents for Cisco routers specify the best practices are to only allow 53/tcp connections to/from secondary name servers. Plus, from all I can tell, Cisco's 'ip inspect dns' CBAC appears to only handle UDP data connections and anything TCP would be denied. From what you are saying, the hardening recommendations are wrong and that CBAC may break some DNS responses. Is this correct?
A number of Cisco default from years gone by would break DSN, today, in it's current form. Such as how PIXs and ASAs with fixup/DPI would block udp/53 packets larger than 512 bytes, not permitting EDNS packets through.
Thunderbird apparently thought that I was ready to send my message before I did. I was going to add some ASA config as an example. policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 2048 I don't have an IOS CBAC example but there's surely something similar. Justin