From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Tue Aug 15 2006 - 04:21:35 ART
Hello John,
Most DNS Servers allow one to specify the client subnets that can make
Recursive Requests to the server, unfortunately AFAIK Microsoft does not
offer that... no surprises.. after all its Microsoft..you can use some other
DNS server to do this tough BIND , DNS-Plus etc support this
you can turn off Recursive Lookups completely tough, but that would not
achieve your objective...
AFAIK there is no way to prevent DNS recursion through the PIX/ASA, but you
might be able to reduce the impact of DNS amplification by setting the
length of DNS messages using the
ip inspect dns maximum-length command
However i'm not sure about this...you would have to research further on
this...keep in mind that if RFC 2671 (EDNS) is in use...playing around with
the length might break things as it can use a length of more than 4 MB for
DNS messages.
HTH
On 8/15/06, John Hooper <homith@homith.com> wrote:
>
> Good Afternoon Everyone,
> Just a quick one for all you
> security
> guru's out there. Can a PIX/ASA block any DNS recursion requests made to a
> Windows 2003 server running DNS. I basically want to prevent DNS recursion
> to
> the outside and allow it on the inside. Can this be restricted on a
> PIX/ASA.
> Thanks for any feedback regarding this.
>
> Cheers
> John
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:57 ART