.jpg "Opportunities, Appliacation, Openings"){kind=small}
.jpg "pusat resume, daftar kerja, cari kerja"){kind=small}
.jpg "Project Manager, SOftware Engineer, SAP Consultant"){kind=small}
DNS Recursion & PIX/ASA
Hello John,
Most DNS Servers allow one to specify the client subnets that can make Recursive Requests to the server, unfortunately AFAIK Microsoft does not offer that… no surprises.. after all its Microsoft..you can use some other DNS server to do this tough BIND , DNS-Plus etc support this
you can turn off Recursive Lookups completely tough, but that would not achieve your objective…
AFAIK there is no way to prevent DNS recursion through the PIX/ASA, but you might be able to reduce the impact of DNS amplification by setting the length of DNS messages using the
ip inspect dns maximum-length command
However i’m not sure about this…you would have to research further on this…keep in mind that if RFC 2671 (EDNS) is in use…playing around with the length might break things as it can use a length of more than 4 MB for DNS messages.
HTH
On 8/15/06, John Hooper wrote: > > Good Afternoon Everyone, > Just a quick one for all you > security > guru’s out there. Can a PIX/ASA block any DNS recursion requests made to a > Windows 2003 server running DNS. I basically want to prevent DNS recursion > to > the outside and allow it on the inside. Can this be restricted on a > PIX/ASA. > Thanks for any feedback regarding this. > > Cheers > John > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html
