[dns-operations] Firewall defaults and EDNS

Mark Andrews marka at isc.org
Thu Nov 20 22:22:47 UTC 2014 

In message <D0936937.7A04E%michoski at cisco.com>, "Mike Hoskins (michoski)" writes:
> This is a resource I've used to fix issues for BIND servers behind PIX and
> ASA's:
> 
> http://www.cisco.com/web/about/security/intelligence/dnssec.html
> 
> You are right, after much discussion over the years (as an outsider and
> insider) newer versions of Cisco defaults have gotten better.  If there
> are specific examples of things that are currently broken, I will at least
> volunteer to help forward details to the right product teams.  Cisco is a
> Big Pond, with my focus far outside the firewall realm, so unfortunately I
> can't guarantee more than that.

Thanks Mike.

Please see 

http://users.isc.org/~marka/ts/tld.flagsfail.html
http://users.isc.org/~marka/ts/tld.edns1fail.html
http://users.isc.org/~marka/tld-report.html

Most of the timeouts appear to be due to firewalls dropping EDNS
packets using one of the extension mechanisms (version, flags or
options).  You can see the patterns in the timeouts indicate firewalls
dropping certain types of packets.

EDNS is 15 years old and nameservers handle EDNS requests.  There
is no reason to block them by default in any form at this point in
time.  All that does is make it harder to deploy extensions.  I
don't see that it is protecting anything at this stage.

As far as I can see the servers behind the firewalls handle these
queries though not always correctly. In lots of cases the IPv4
instance is behind a firewall but the IPv6 instance isn't and the
IPv6 instance copes with the extensio.

I don't see any evidence that using the extension mechanisms causes
harm to the servers.

http://users.isc.org/~marka/ts.html
http://users.isc.org/~marka/alexa-report.html
http://users.isc.org/~marka/gov-report.html
http://users.isc.org/~marka/au-report.html
http://users.isc.org/~marka/bottom-report.html

Mark
 
> -----Original Message-----
> From: Mark Andrews <marka at isc.org>
> Date: Thursday, November 20, 2014 at 3:24 AM
> To: Roland Dobbins <rdobbins at arbor.net>
> Cc: "dns-operations at dns-oarc.net" <dns-operations at dns-oarc.net>
> Subject: Re: [dns-operations] Firewall defaults and EDNS
> 
> >
> >In message <2DCA46D6-6073-454A-AF5E-24B9172179F1 at arbor.net>, "Roland
> >Dobbins" w
> >rites:
> >> On 20 Nov 2014, at 11:16, Mark Andrews wrote:
> >> 
> >> > so I can generate a list of broken by default for EDNS firewalls.
> >> 
> >> While it's a good idea to try and compile a list of firewalls which are
> >> broken by default, the far more prevalent issue is the apparently
> >> unkillable 'security' myth that one must block TCP/53 as well as DNS
> >> responses larger than 512 bytes.
> >
> >Well CISCO fixed the later quite a few years ago now.  That doesn't
> >mean that their isn't old images still in use.
> >
> >If you want to add > 512 being blocked by default to the set of
> >broken by default I'll collect that information too.
> >
> >Also any know good images and configuration recipes to fix those that
> >are broken by default.
> >
> >> Irrespective of defaults, folks just unquestioningly slap these rules
> >> into place - and then they (or their users) wonder why their DNS is
> >> broken.
> >> 
> >> -----------------------------------
> >> Roland Dobbins <rdobbins at arbor.net>
> >> _______________________________________________
> >> dns-operations mailing list
> >> dns-operations at lists.dns-oarc.net
> >> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> >> dns-jobs mailing list
> >> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> >-- 
> >Mark Andrews, ISC
> >1 Seymour St., Dundas Valley, NSW 2117, Australia
> >PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> >_______________________________________________
> >dns-operations mailing list
> >dns-operations at lists.dns-oarc.net
> >https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> >dns-jobs mailing list
> >https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list