Cisco documentation fun

Otanx · February 19, 2016, 02:10:09 PM

Found this while doing some ASA work.

From - http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/inspect-basic.html#pgfId-2486925

Quote
Defaults for DNS Inspection

DNS inspection is enabled by default, using the preset_dns_map inspection class map:

The maximum DNS message length is 512 bytes.

Then from - http://www.cisco.com/c/en/us/about/security-center/dnssec-best-practices.html

Quote
Potential Networking Challenges with DNSSEC Deployment

The networking-specific challenges from DNSSEC are largely the result of the differences mentioned previously: increased packet sizes, EDNS requirements and the more frequent use of TCP. Many firewall devices incorrectly limit DNS responses to 512 and prohibit DNS over TCP.

Gave me a good laugh.

-Otanx

deanwebb · February 19, 2016, 02:15:08 PM

Nerm · February 19, 2016, 08:28:22 PM

that1guy15 · February 20, 2016, 04:05:08 PM

Cisco BUs are pretty much separate companies. Its so aggravating and I could only imagine the hell that SEs have to deal with. FTS

Netwörkheäd · February 20, 2016, 04:14:26 PM

The problem with big companies is that there are both economies of scale and inefficiencies of scale. CEO's can say "everyone use the same policy and talk to each other!" Then everyone nods, pretends to listen, and carries on as before.

Sent from my SM-N900P using Tapatalk

NetworkGroover · February 23, 2016, 04:11:54 PM

Quote from: Netwörkheäd on February 20, 2016, 04:14:26 PM
The problem with big companies is that there are both economies of scale and inefficiencies of scale. CEO's can say "everyone use the same policy and talk to each other!" Then everyone nods, pretends to listen, and carries on as before.

Sent from my SM-N900P using Tapatalk

Truth.

Anyway - Otanx, that's pretty funny.

Also shows you have great attention to detail - my ADD probably would have missed that ;P

Dieselboy · February 28, 2016, 08:06:12 AM

Yes we used to get this all the time for older customers in England. Then we made base configs and had this changed to 4096. The other "fix" was disable dns sec on the windows dns server.
I havent run in to issues on my set up though but this thread has reminded me to check what ive done on ours.

Dieselboy · February 28, 2016, 11:34:09 PM

Is the link in the OP still current? It mentions PIX config. The guide says to set the DNS inspection size to 4096. I checked my ASA here and and it can be increased from 512 to 65535. I've set it just now to 4096.

I'm surprised I've not seen any DNS sec issues, though. We're using Windows 2012 DNS servers.

Otanx · February 29, 2016, 05:15:21 PM

The first link is for ASA 9.3 code. The second link I don't know how old it is, but it is what shows up when you Google for "Cisco ASA DNSSEC". I found these because I was actually looking for ESMTP inpection docs. I found that by default ESMTP inspection disables STARTTLS. So I started wondering about DNSSEC, and ran into this.

-Otanx

Dieselboy · March 01, 2016, 12:53:21 AM

Quote from: Otanx on February 29, 2016, 05:15:21 PM
The first link is for ASA 9.3 code. The second link I don't know how old it is, but it is what shows up when you Google for "Cisco ASA DNSSEC". I found these because I was actually looking for ESMTP inpection docs. I found that by default ESMTP inspection disables STARTTLS. So I started wondering about DNSSEC, and ran into this.

-Otanx

Thanks mate.
FYI, to get inbound SMTP working I've always had to disable ESMTP inspection. Else email just don't work.

dlots · March 01, 2016, 08:41:29 AM

That's quite funny :-)

deanwebb · March 01, 2016, 08:43:00 AM

Funny but true. It's like the first thing you do with an edge firewall.

Otanx · March 01, 2016, 11:58:07 AM

Quote from: Dieselboy on March 01, 2016, 12:53:21 AM
Quote from: Otanx on February 29, 2016, 05:15:21 PM
The first link is for ASA 9.3 code. The second link I don't know how old it is, but it is what shows up when you Google for "Cisco ASA DNSSEC". I found these because I was actually looking for ESMTP inpection docs. I found that by default ESMTP inspection disables STARTTLS. So I started wondering about DNSSEC, and ran into this.

-Otanx

Thanks mate.
FYI, to get inbound SMTP working I've always had to disable ESMTP inspection. Else email just don't work.

Yep, this is what I kept hearing. From what I can tell it is because the ASA does not cache the packets so if the command is split between packets then it does not recognize the command, and breaks it. I was hoping to leave it on, but I don't think I will.

-Otanx

icecream-guy · March 01, 2016, 01:56:16 PM

Quote from: Otanx on March 01, 2016, 11:58:07 AM
Quote from: Dieselboy on March 01, 2016, 12:53:21 AM
Quote from: Otanx on February 29, 2016, 05:15:21 PM
The first link is for ASA 9.3 code. The second link I don't know how old it is, but it is what shows up when you Google for "Cisco ASA DNSSEC". I found these because I was actually looking for ESMTP inpection docs. I found that by default ESMTP inspection disables STARTTLS. So I started wondering about DNSSEC, and ran into this.

-Otanx

Thanks mate.
FYI, to get inbound SMTP working I've always had to disable ESMTP inspection. Else email just don't work.

Yep, this is what I kept hearing. From what I can tell it is because the ASA does not cache the packets so if the command is split between packets then it does not recognize the command, and breaks it. I was hoping to leave it on, but I don't think I will.

-Otanx

let if flow through, there are various ways to limit/control mail commands at the DMZ mail relay server, or internal server if you really needed to

Dieselboy · March 01, 2016, 07:58:41 PM

I didn't know why ESMTP inspection broke SMTP, but if you telnet to the SMTP server receive port through the ASA and issued EHLO then you get something back like:

Code Select


*************************************
220
*************************************

Which isn't normal.