Cisco IOS DNSSEC Firewall and Sevice Policy Changes

Author: DM47
6/22/2009 8:08:29 AM

An important step in configuring your firewalls for DNSSEC operations
is to increase the DNS message length permitted by the firewall. The
default message-length for all DNS messages in routers shipped by
Cisco Systems is 512 bytes. The average DNSKEY query response for
signed domains is approximately 2,900 bytes. This creates a symptom
that is difficult to isolate. First a UDP query will be sent and
then a second TCP query will be sent if the UDP response is
truncated. Both will fail during validation, but since .com and .net
queries are succeeding, you may think there is nothing wrong with your
configuration and call the TLD operator with the following symptom.

Symptom: DNS queries time out or fail for all queries to TLDs that
are signed (e.g. .gov, .org) using a recursive validating caching name
server. All other queries succeed so it may take a while for the
problem to get reported.

Solution: Change the message-length to 4096 for all DNS queries.

The validating name server will query the TLD and its
children for all of their DNSKEYs and place them in the cache.
This query is one of the larger DNS queries and if the firewall
does not allow the large answer through, then the name server will
attempt to resort back to non-validating DNS service. This may or
may not be successful, however, and often the validating name
server will determine that the zone is not authoritative enough
to be queried.

Examples:
CISCO product examples. All manufactures are affected, however,
so consult the manual on how to increase this size at the time
of DNSSEC deployment.


pix501 config

interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
hostname PIX
domain-name PIX
fixup protocol dns maximum-length 4096

!-- Output for service-policy applied globally
!
firewall# show service-policy inspect dns
Global policy: 
 Service-policy: global_policy
   Class-map: inspection_default
     Inspect: dns preset_dns_map, packet 37841, drop 0, reset-drop 0
       message-length maximum 4096, drop 0
       *dns-guard, count 21691*
       protocol-enforcement, drop 0
       nat-rewrite, count 0
       *id-randomization, count 21856*
       *id-mismatch count 10 duration 2, log 2*
firewall#

!-- Output for service-policy applied per interface
!
firewall# show service-policy inspect dns
Interface outside:
 Service-policy: global_policy
   Class-map: inspection_default
     Inspect: dns preset_dns_map, packet 4923, drop 1544, reset-drop 0
       *message-length maximum 4096, drop 39*
       *dns-guard, count 2147*
       *protocol-enforcement, drop 542*
       nat-rewrite, count 0
       *id-randomization, count 2220*
       *id-mismatch count 10 duration 2, log 1*
Interface inside:
 Service-policy: global_policy
   Class-map: inspection_default
     Inspect: dns preset_dns_map, packet 240, drop 0, reset-drop 0
       message-length maximum 4096, drop 0
       *dns-guard, count 88*
       protocol-enforcement, drop 0
       nat-rewrite, count 0
       *id-randomization, count 116*
       id-mismatch count 10 duration 2, log 0
firewall#

comment on this