lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <9B66BBD37D5DD411B8CE00508B69700F033F29B8@pborolocal.rnib.org.uk>
From: John.Airey at rnib.org.uk (John.Airey@...b.org.uk)
Subject: Fw: [NTBUGTRAQ] Win 2003 DNS requests makes
	 replies over 512 byte PIX limit

> -----Original Message-----
> From: hggdh [mailto:hggdh@...bi.com]
> Sent: 08 May 2003 18:09
> To: full-disclosure@...ts.netsys.com
> Subject: [Full-Disclosure] Fw: [NTBUGTRAQ] Win 2003 DNS requests makes
> replies over 512 byte PIX limit
> 
> 
> FYI. Any ideas?
> ----- Original Message ----- 
> From: "DeAvillez, Carlos" <Carlos_DeAvillez@...rcomm.com>
> To: <hggdh@...bi.com>
> Sent: Thursday, May 08, 2003 12:08
> Subject: FW: [NTBUGTRAQ] Win 2003 DNS requests makes replies 
> over 512 byte
> PIX limit
> 
> 
> >
> >
> > -----Original Message-----
> > From: DeAvillez, Carlos
> > Sent: Thursday, May 08, 2003 12:02
> > To: 'hddgh@...bi.com'
> > Subject: FW: [NTBUGTRAQ] Win 2003 DNS requests makes 
> replies over 512
> > byte PIX limit
> >
> >
> >
> >
> > -----Original Message-----
> > From: Loucks, Jason [mailto:loucks@...MPROD.COM]
> > Sent: Thursday, May 08, 2003 08:59
> > To: NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM
> > Subject: [NTBUGTRAQ] Win 2003 DNS requests makes replies 
> over 512 byte
> > PIX limit
> >
> >
> > We recently upgraded our DNS servers to Win 2003.  After 
> this time, it
> > became apparent that we are unable to send email to some 
> domains which
> > had been working fine before.
> >
> >
> >
> > After much investigation as to why it "suddenly" stopped working, we
> > determined that Win 2003 requests everything but the 
> kitchen cupboard in
> > its DNS requests,  apparently using RFC 2671 to specify the 
> ability to
> > accept >512 byte UDP replies.
> >
> >
> >
> > We are running the latest version (6.3.1) on our Cisco PIX and it
> > appears that there is hard limit of 512 bytes on ANY UDP packets
> > arriving on port 53.  Everything exceeding that is dropped.
> >
> >
> >
> > Has anyone else seen this problem?


I was under the impression that the latest Pix version is 6.2.1, so I hope
that the above is a typo. 

Assuming that your DNS server is an internal resolver (rather than a primary
or secondary for your domain) there is no reason for it ever to receive
external requests on port 53. The newer Pix versions are very picky about
what they allow through on UDP, so I'm surprised you've ever got anything
through on port 53. 

I've mentioned this issue before on this list (see the thread "SQL Slammer -
lessons learned"), but I'll repeat it again. Your internal resolver only
needs to connect to port 53 of external machines to send email to them. The
connection back to your machine will be on a higher port. The Pix will use
stateful filtering to allow the connection to the higher port (ie it detects
that the connection was originated from the inside).

Try "show conn prot udp" (or "show conn") on the firewall to see where the
connections are really going. Even "netstat -a" on the server should give
you some information about connections.

If however I'm wrong and this DNS server is also your primary or secondary
DNS server, I'd say that it is not a good idea to have this behind your
firewall (and the same goes for web servers). IMNSHO a firewall should
divide your network between publicly accessible parts and private parts,
which if you look at the Cisco site is what they recommend. CERT recommend
that you have a separate network inside your firewall for web servers,
however I think that just over-complicates the matter. 


Let me know if you need any more help.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@...b.org.uk 

According to Mein Kampf, the so called "final solution" was merely the
practical application of Natural Selection.

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ