Member
We are using Cisco PIX firewall in our office. We recently noticed that our dns packets were being denied because of the size. I would like to know what is the default dns packet's size that a device sends and what is the problem involved if it is increases the default value and also what is the maximum size of a dns packet that can be sent?
Member
This problem occur on some Cisco PIX Firewall models with software that is earlier than PIX Firewall version 6.3(2). By default, some firewalls have security features turned on that block UDP packets that are larger than 512 bytes. To resolve this issue, configure the firewall to allow larger UDP packets.
Member
According to my research, even Windows could have a default dns packet size limit. So to fix this, you may want to adjust your Windows settings to increase the dns packet size limit and allow the dns request as per your need. You can even try to turn off EDNS0 functionality on the Windows Server 2003 server. To do so, at the command prompt, type: "dnscmd Server Name/Config /EnableEDnsProbes 0"
Member
This is the part of the Cisco security feature which blocks all the packets sent exceeding 512 bytes calling them malformed. Over this size TCP packets are supposed to be used and not the UDP. A flag is passed when a dns server requests a lookup indicating whether it accepts Edns and its maximum packet size. A firewall which filters large UDP DNS packets without clearing this flag in DNS packets that pass through will cause problems to the servers.
Posting Permissions
Reply With Quote
Bookmarks