[fw-wiz] (no subject)

From: Mike Hoskins (mike@adept.org)
Date: 02/19/03

  • Next message: SimonChan@lifeisgreat.com.sg: "[fw-wiz] ipsec nat transversal"
    From: Mike Hoskins <mike@adept.org>
    To: firewall-wizards@honor.icsalabs.com
    Date: Tue, 18 Feb 2003 16:30:58 -0800 (PST)

    From: David Lang <david.lang@digitalinsight.com>
    Date: Mon, 17 Feb 2003 20:56:16 -0800 (PST)
    Subject: Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500
    > also some large websites don't load balance behind a single IP address,
    >instead they use lots of IP addresses.
    > web:~# dig cnn.com

    Inclusion of a large number of any RR can cause the problem.
    mail.yahoo.com is a common example I've seen, as a result of a large
    number of authoritative nameservers. Over time they slowly added more
    servers... Queries used to fit within 512 datagrams, then one day they
    suddenly didn't. In short there are a lot of reasons a valid response may
    not fit with 512 datagrams.

    Not only will this break through various commercial firewalls, but
    improperly configured opensource variants as well. (Discarded UDP

    mike@mojo{mike}$ dig mail.yahoo.com
    ;; Total query time: 29 msec
    ;; FROM: mojo.televoke.net to SERVER: default --
    ;; WHEN: Tue Feb 18 16:22:08 2003
    ;; MSG SIZE sent: 32 rcvd: 522

    firewall-wizards mailing list

    Relevant Pages