[fw-wiz] (no subject)

• Previous message: Joseph Steinberg: "[fw-wiz] Re: FirePass questions"
• Next in thread: Reckhard, Tobias: "RE: [fw-wiz] (no subject)"
• Maybe reply: Reckhard, Tobias: "RE: [fw-wiz] (no subject)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Mike Hoskins <mike@adept.org>
To: firewall-wizards@honor.icsalabs.com
Date: Tue, 18 Feb 2003 16:30:58 -0800 (PST)

From: David Lang <david.lang@digitalinsight.com>
Date: Mon, 17 Feb 2003 20:56:16 -0800 (PST)
Subject: Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500
> also some large websites don't load balance behind a single IP address,
>instead they use lots of IP addresses.
<snip>
> web:~# dig cnn.com
<snip>

Inclusion of a large number of any RR can cause the problem.
mail.yahoo.com is a common example I've seen, as a result of a large
number of authoritative nameservers. Over time they slowly added more
servers... Queries used to fit within 512 datagrams, then one day they
suddenly didn't. In short there are a lot of reasons a valid response may
not fit with 512 datagrams.

Not only will this break through various commercial firewalls, but
improperly configured opensource variants as well. (Discarded UDP
fragments.)

mike@mojo{mike}$ dig mail.yahoo.com
<snip>
;; Total query time: 29 msec
;; FROM: mojo.televoke.net to SERVER: default -- 10.0.100.90
;; WHEN: Tue Feb 18 16:22:08 2003
;; MSG SIZE sent: 32 rcvd: 522

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Next message: SimonChan@lifeisgreat.com.sg: "[fw-wiz] ipsec nat transversal"
• Previous message: Joseph Steinberg: "[fw-wiz] Re: FirePass questions"
• Next in thread: Reckhard, Tobias: "RE: [fw-wiz] (no subject)"
• Maybe reply: Reckhard, Tobias: "RE: [fw-wiz] (no subject)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]