Godswill I believe he is asking about the alias command since that is specifically used for DNS doctoring. But, if his clients are on the same network as the DNS server it won't work. But, as you said, I'm not quite sure what he is asking.
http://www.cisco.com/warp/public/110/alias.html You are also sort of incorrect if you are saying that you can't adjust the DNS timers. You can't adjust the specific DNS timers themselves, but you can adjust the UDP timer. I'm not sure if that's what you meant. You are very correct that 2 minutes is an eternity and I think that is way too long to have a UDP connection open. Just change the UDP timeout conn as shown below. The example is changed to one minute. timeout conn 1:00:00 half-closed 0:10:00 udp 0:01:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 John Kaberna CCIE #7146 www.netcginc.com (415) 750-3800 Instructor for 5-day CCIE class for ccbootcamp.com __________________ CCIE Security Training www.netcginc.com/training.htm ""Godswill HO"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi, > > It really depends on what you want to do or implement for the DNS. The DNS > guard on PIX is enabled by default and it cannot be disabled not configured. > It help to prevent against DoS attacks by tearing down the UDP conduit on > the PIX firewall as soon as the DNS response is received not waiting until > thee the default UDO timer has expire which is 2 minutes( almost an eternity > in the computer world). > > The other doctoring you can do on DNS is on CBAC (Context Based Access > Control). Here you can alter the default DNS timeout which is 5 seconds by > using: > > #IP inspect dns-timeout > > It simplyly specifies the length of time a DNS name lookup session will > still be managed after no activity. > > In case you need further help, feel free to ask specific questions. > > Regards. > Oletu > > ----- Original Message ----- > From: Dante Martins > To: > Sent: Saturday, January 26, 2002 4:58 PM > Subject: PIX % DNS Doctoring [7:33331] > > > > Somebody knows how to do DNS doctoring on PIX > > I have the DNS on DMZ with static and the clients workstations are on > > inside interface. > > Dante > > > > > > ________________________________________________________________________ > > This email has been scanned for all viruses by the MessageLabs service. > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33346&t=33331 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
