Configuring DNS Support
It is not necessary to configure DNS support on Cisco Security Appliance. By default, the
Security Appliance identifies each outbound DNS request and allows only a single response
to that request. The internal host can query several DNS servers for a response, and the
Security Appliance allows the outbound queries. However, the Security Appliance allows
only the first response to pass through the firewall. All subsequent responses to the original
query are dropped.
PIX Version 6.3(2) includes a DNS fixup protocol that enables you to configure a maximum
packet length for connections to UDP port 53. The default value is 512 bytes. If you
configure the DNS fixup protocol, the Security Appliance drops all connections to UDP port
53 that exceed the configured maximum length. The command for this configuration is
fixup protocol dns [maximum length <512-65535>]