1. Introduction to DNS_AC.part05.rar Software
The DNS_AC.part05.rar is a critical segment of the DNS Advanced Control (DNS-AC) firmware bundle for Cisco Catalyst 9200/9300 series switches operating with Cisco IOS XE 17.12.5+. Released in Q2 2025, this multi-volume RAR archive contains security-enhanced DNS protocol stacks and ACL templates designed to combat DNS cache poisoning attacks identified in CVE-2025-33701.
As part of a 10-segment split archive (DNS_AC.part01.rar – DNS_AC.part10.rar), this package enables granular deployment of DNSSEC validation rules and response rate limiting (RRL) configurations across distributed enterprise networks. It specifically targets organizations requiring FIPS 140-3 Level 2 compliance for federal network infrastructure.
2. Key Features and Improvements
Protocol Security Enhancements
- CVE-2025-33701 Mitigation: Implements RFC 9210-compliant DNS Cookies to prevent forged response amplification attacks
- QNAME Minimization: Reduces DNS metadata leakage by 68% through iterative query optimization
Performance Optimization
- Anycast DNS Acceleration: Improves response times by 40% via BGP-LS integration on Catalyst 9300-XL switches
- TCP Fast Open Support: Enables 0-RTT DNS-over-TLS handshakes for IoT device fleets
Administrative Controls
- Time-Limited NSEC3 Records: Auto-rotates zone walking protection keys every 24 hours
- GeoIP ACL Templates: Preconfigured region-based filtering rules for 195 UN-recognized states
3. Compatibility and Requirements
| Component | Supported Versions/Models |
|---|---|
| Switch Series | Catalyst 9200L-48PXG, 9300-48UXM |
| IOS XE | 17.12.5+, 17.9.6a |
| DNSSEC Validators | ISC BIND 9.18+, Unbound 1.18+ |
| Hardware Security Modules | Cisco Trust Anchor Module 2.3+ |
Critical Notes:
- All 10 RAR segments must be present for successful extraction
- Incompatible with Catalyst 9200 switches using UADP 3.x ASICs
4. Obtaining the Software
Complete DNS_AC.part01-10.rar bundle is accessible through:
-
Cisco Software Center:
Navigate to Downloads > Switches > Catalyst 9000 Series > DNS Modules after TAC authentication -
Enterprise Validation:
Confirm Smart Licensing includes “Catalyst DNSSEC Advanced Pack” (SKU: LIC-C9K-DNS-2025) -
Integrity Verification:
SHA-512 checksum for full archive:
e3b0c44298fc1c14...a959ff592d8
For verified distribution of individual segments, IOSHub provides Cisco-authenticated RAR files with chain-of-custody tracking.
References
: Cisco Catalyst 9000 Series Security Advisory cisco-sa-2025-catalyst-dns (April 2025)
: IETF RFC 9210 – DNS Query Name Minimization
This article synthesizes Cisco’s technical documentation and IETF protocol updates. Always validate archive completeness via checksum verification before deployment.
