[dns-operations] Firewall defaults and EDNS

Mike Hoskins (michoski) michoski at cisco.com
Thu Nov 20 15:12:12 UTC 2014

This is a resource I've used to fix issues for BIND servers behind PIX and


You are right, after much discussion over the years (as an outsider and
insider) newer versions of Cisco defaults have gotten better.  If there
are specific examples of things that are currently broken, I will at least
volunteer to help forward details to the right product teams.  Cisco is a
Big Pond, with my focus far outside the firewall realm, so unfortunately I
can't guarantee more than that.

-----Original Message-----
From: Mark Andrews <marka at isc.org>
Date: Thursday, November 20, 2014 at 3:24 AM
To: Roland Dobbins <rdobbins at arbor.net>
Cc: "dns-operations at dns-oarc.net" <dns-operations at dns-oarc.net>
Subject: Re: [dns-operations] Firewall defaults and EDNS

>In message <2DCA46D6-6073-454A-AF5E-24B9172179F1 at arbor.net>, "Roland
>Dobbins" w
>> On 20 Nov 2014, at 11:16, Mark Andrews wrote:
>> > so I can generate a list of broken by default for EDNS firewalls.
>> While it's a good idea to try and compile a list of firewalls which are
>> broken by default, the far more prevalent issue is the apparently
>> unkillable 'security' myth that one must block TCP/53 as well as DNS
>> responses larger than 512 bytes.
>Well CISCO fixed the later quite a few years ago now.  That doesn't
>mean that their isn't old images still in use.
>If you want to add > 512 being blocked by default to the set of
>broken by default I'll collect that information too.
>Also any know good images and configuration recipes to fix those that
>are broken by default.
>> Irrespective of defaults, folks just unquestioningly slap these rules
>> into place - and then they (or their users) wonder why their DNS is
>> broken.
>> -----------------------------------
>> Roland Dobbins <rdobbins at arbor.net>
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>Mark Andrews, ISC
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net
>dns-jobs mailing list

More information about the dns-operations mailing list