Dear All, I just received the below mail from my ISP ----------------- On May 5th 2010 domain name system (DNS) will switch over to a new, more secure protocol “DNSSEC”. DNSSEC adds digital signatures to normal DNS queries, substantially reducing the risk of attacks such as the Kaminsky exploit, which caused widespread panic in July 2008. Here at FASTtelco we have taken all the necessary precautions on our DNS and security equipments. Therefore if you own any security equipments such as a PIX or an ASA please do the following changes at your end. Below is the configuration that needs to be changed on a Cisco PIX and a Cisco ASA series firewall; ASA: policy-map type inspect dns preset_dns_map parameters message-length maximum 4096 policy-map global_policy class inspection_default inspect dns preset_dns_map PIX: fixup protocol dns maximum-length 4096 ------------------ On further query wth the ISP it was told that if the firewall does not have the neccessary changes we will not be able to browse. Now I have our own Primary & Secondary DNS server running and I use shorewall-4.0.14-1 as our firewall and its been working fine for the past 3 years or so . the name servers are 1) ns1.kmun.gov.kw 2) ns2.kmun.gov.kw. Now I would really apprecte if someone could advise me and help me on the above issue. do I need to do any change in our firewall or no we do hosts our company websites , mail servers , etc and the DNS servers are authorative for these zones wait for your kind help if any more information is required pls do let me know regards simon -- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------------------------------
Benedict simon wrote:> > Now I would really apprecte if someone could advise me and help me on the > above issue. do I need to do any change in our firewall or no >DNSSEC changes the DNS payload contents and length but not the header contents; the latter is all that a packet filter like Netfilter looks at. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
> Benedict simon wrote: > >> >> Now I would really apprecte if someone could advise me and help me on >> the >> above issue. do I need to do any change in our firewall or no >> > > DNSSEC changes the DNS payload contents and length but not the header > contents; the latter is all that a packet filter like Netfilter looks at. >Dear Tom, I really apprecite your quick and immediate reply. But do apprecite and would be really grateful if you could let me know more about it. Actually I was informed by the ISP guys if no change is made as per stated in the mail they sent would not be able to browse and my knowlegde on DNSSEC is limited 1) As I understand from your above reply no need to do any change on my shoreline firewall 2) i ran the below command from my dns server which is behind my shorewall firewall. ip is 91.198.x.x of my dns server $ dig +short rs.dns-oarc.net txt rst.x2027.rs.dns-oarc.net. rst.x3837.x2027.rs.dns-oarc.net. rst.x3843.x3837.x2027.rs.dns-oarc.net. "Tested at 2010-05-02 17:45:08 UTC" "62.215.6.4 sent EDNS buffer size 4096" "62.215.6.4 DNS reply size limit is at least 3843" actually 62.215.6.4 is my ISP DNS server . 3) as mentioned to me in the mail from my ISP are the root servers gonna switch over to DNSSEC on 5th may. so before that I just wanted to be so sure . Is there any other test I could run from my dns server so that my DNS and the shorewall firewall is fine and do not need any change really apprecite your help soory for my immature questions regards simon> -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------------------------------
On 05/02/2010 12:00 PM, Benedict simon wrote:> > really apprecite your help > soory for my immature questions >I''ve told you everything I know about DNSSEC. You can read the RFCs and web sites about the subject as well as I can. I can assure you that DNSSEC has not been mentioned on either of the Netfilter lists since I started archiving them several years ago. Again -- Shorewall-generated rulesets do not look at anything but the protocol headers, which are not affected by DNSSEC. PIX and ASA firewalls are different; they DO look at the payload of packets (as evidenced by the many problems PIX have caused with email delivery). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
Dear Tom, A million Thanks for the wise reply and really do apprecite . and really soory for the bother Actually I was just a bit tensed and confused moreover there gonna be a review of our websites these days But i do feel a bit relaxed. By the way I have been using shorewall for the last 2 years or so and its just a marvelous piece of software. May God always bless you for ur good work regards simon> On 05/02/2010 12:00 PM, Benedict simon wrote: > >> >> really apprecite your help >> soory for my immature questions >> > > I''ve told you everything I know about DNSSEC. You can read the RFCs and > web sites about the subject as well as I can. I can assure you that > DNSSEC has not been mentioned on either of the Netfilter lists since I > started archiving them several years ago. > > Again -- Shorewall-generated rulesets do not look at anything but the > protocol headers, which are not affected by DNSSEC. PIX and ASA > firewalls are different; they DO look at the payload of packets (as > evidenced by the many problems PIX have caused with email delivery). > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- Network ADMIN ------------- KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------------------------------