Cisco documentation fun

Started by Otanx, February 19, 2016, 02:10:09 PM

Previous topic - Next topic

Otanx

Found this while doing some ASA work.

From - http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/inspect-basic.html#pgfId-2486925
Quote
Defaults for DNS Inspection

DNS inspection is enabled by default, using the preset_dns_map inspection class map:

    The maximum DNS message length is 512 bytes.

Then from - http://www.cisco.com/c/en/us/about/security-center/dnssec-best-practices.html

Quote
Potential Networking Challenges with DNSSEC Deployment

The networking-specific challenges from DNSSEC are largely the result of the differences mentioned previously: increased packet sizes, EDNS requirements and the more frequent use of TCP. Many firewall devices incorrectly limit DNS responses to 512 and prohibit DNS over TCP.

Gave me a good laugh.

-Otanx

deanwebb

#1
:haha1:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Nerm


that1guy15

Cisco BUs are pretty much separate companies. Its so aggravating and I could only imagine the hell that SEs have to deal with. FTS
That1guy15
@that1guy_15
blog.movingonesandzeros.net

Netwörkheäd

The problem with big companies is that there are both economies of scale and inefficiencies of scale. CEO's can say "everyone use the same policy and talk to each other!" Then everyone nods, pretends to listen, and carries on as before.

Sent from my SM-N900P using Tapatalk

Let's not argue. Let's network!

NetworkGroover

Quote from: Netwörkheäd on February 20, 2016, 04:14:26 PM
The problem with big companies is that there are both economies of scale and inefficiencies of scale. CEO's can say "everyone use the same policy and talk to each other!" Then everyone nods, pretends to listen, and carries on as before.

Sent from my SM-N900P using Tapatalk

Truth.

Anyway - Otanx, that's pretty funny.  :rofl:

Also shows you have great attention to detail - my ADD probably would have missed that ;P
Engineer by day, DJ by night, family first always

Dieselboy

Yes we used to get this all the time for older customers in England. Then we made base configs and had this changed to 4096. The other "fix" was disable dns sec on the windows dns server.
I havent run in to issues on my set up though but this thread has reminded me to check what ive done on ours.

Dieselboy

Is the link in the OP still current? It mentions PIX config. The guide says to set the DNS inspection size to 4096. I checked my ASA here and and it can be increased from 512 to 65535. I've set it just now to 4096.

I'm surprised I've not seen any DNS sec issues, though. We're using Windows 2012 DNS servers.

Otanx

The first link is for ASA 9.3 code. The second link I don't know how old it is, but it is what shows up when you Google for "Cisco ASA DNSSEC". I found these because I was actually looking for ESMTP inpection docs. I found that by default ESMTP inspection disables STARTTLS. So I started wondering about DNSSEC, and ran into this.

-Otanx

Dieselboy

Quote from: Otanx on February 29, 2016, 05:15:21 PM
The first link is for ASA 9.3 code. The second link I don't know how old it is, but it is what shows up when you Google for "Cisco ASA DNSSEC". I found these because I was actually looking for ESMTP inpection docs. I found that by default ESMTP inspection disables STARTTLS. So I started wondering about DNSSEC, and ran into this.

-Otanx

Thanks mate.
FYI, to get inbound SMTP working I've always had to disable ESMTP inspection. Else email just don't work.

dlots


deanwebb

Funny but true. It's like the first thing you do with an edge firewall.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

Quote from: Dieselboy on March 01, 2016, 12:53:21 AM
Quote from: Otanx on February 29, 2016, 05:15:21 PM
The first link is for ASA 9.3 code. The second link I don't know how old it is, but it is what shows up when you Google for "Cisco ASA DNSSEC". I found these because I was actually looking for ESMTP inpection docs. I found that by default ESMTP inspection disables STARTTLS. So I started wondering about DNSSEC, and ran into this.

-Otanx

Thanks mate.
FYI, to get inbound SMTP working I've always had to disable ESMTP inspection. Else email just don't work.

Yep, this is what I kept hearing. From what I can tell it is because the ASA does not cache the packets so if the command is split between packets then it does not recognize the command, and breaks it. I was hoping to leave it on, but I don't think I will.

-Otanx

icecream-guy

Quote from: Otanx on March 01, 2016, 11:58:07 AM
Quote from: Dieselboy on March 01, 2016, 12:53:21 AM
Quote from: Otanx on February 29, 2016, 05:15:21 PM
The first link is for ASA 9.3 code. The second link I don't know how old it is, but it is what shows up when you Google for "Cisco ASA DNSSEC". I found these because I was actually looking for ESMTP inpection docs. I found that by default ESMTP inspection disables STARTTLS. So I started wondering about DNSSEC, and ran into this.

-Otanx

Thanks mate.
FYI, to get inbound SMTP working I've always had to disable ESMTP inspection. Else email just don't work.

Yep, this is what I kept hearing. From what I can tell it is because the ASA does not cache the packets so if the command is split between packets then it does not recognize the command, and breaks it. I was hoping to leave it on, but I don't think I will.

-Otanx

let if flow through, there are various ways to limit/control mail commands at the DMZ mail relay server, or internal server if you really needed to
:professorcat:

My Moral Fibers have been cut.

Dieselboy

I didn't know why ESMTP inspection broke SMTP, but if you telnet to the SMTP server receive port through the ASA and issued EHLO then you get something back like:

*************************************
220
*************************************


Which isn't normal.