Skip to main content

Netware 6.5 DNS and PIX 500

17 years 10 months ago #11643 by latdyn
Hi All

We are replacing a Caldera Box with firewall software with a Pix 500. The current configuration has the primary and secondary DNS for the workstations as the the two clustered Netware 6.5 servers inside the network. The servers have a external DNS server configured in their forwarders. In this configuration DNS works and the workstations are able to resolve and browse. If we replace the Linux firewall with the PIX firewall allowing everything out (initially). The Netware servers can resolve through the firewall but the workstations cannot. Is anybody aware of any special config commands for this setup or of any PIX/Netware bugs.

17 years 10 months ago #11646 by DaLight
Welcome to, latdyn. It seems quite strange that with no egress filtering in place and with your Netware servers able to resolve through the firewall, your workstations are failing to resolve.

Are the workstations definitely still set to obtain their DNS from the Netware servers. You could check the firewall logs to see if any forwarding requests are going to your external DNS from the Netware servers when your workstations make a request.

I just spotted this note on Cisco firewalls which may help:
This issue may occur if a firewall blocks the transfer of UDP packets that are larger than 512 bytes.

With Extension Mechanisms for DNS (EDNS0) as defined in RFC 2671, "Extension Mechanisms for DNS (EDNS0)," DNS requestors can advertise UDP packet size and transfer packets larger than 512 bytes. By default, some firewalls have security features turned on that block UDP packets that are larger than 512 bytes. As a result, DNS queries may fail.

This problem also may occur on some Cisco PIX Firewall models with software that is earlier than PIX Firewall version 6.3(2). The Cisco PIX Firewall drops DNS packets that are sent to User Datagram Protocol (UDP) port 53 that are larger than the configured maximum length. By default, the maximum length for UDP packets is 512 bytes.[/code:1]

If this happens to be your problem, then the resolution depends on the version of your Cisco PIX software:

Cisco PIX, version 6.3(1) and earlier
Early versions of Cisco PIX cannot be configured to pass large DNS packets and must be upgraded to a later version.

Cisco PIX, version 6.3(2) and later
Cisco ASA 5500, version 7.0(1) and later

The default configuration for Cisco PIX does not allow DNS packets larger that 512 bytes to pass. To increase this limit, the following parameter must be changed.
[code:1]fixup protocol dns maximum-length 4096[/code:1]
Time to create page: 0.136 seconds