RE: [fw-wiz] (no subject)

From: Reckhard, Tobias (tobias.reckhard@secunet.com)
Date: 02/19/03

  • Next message: Claussen, Ken: "RE: [fw-wiz] help..." 
    From: "Reckhard, Tobias" <tobias.reckhard@secunet.com>
To: firewall-wizards@honor.icsalabs.com
Date: Wed, 19 Feb 2003 06:50:26 +0100

    On Wednesday, February 19, 2003 1:31 AM, Mike Hoskins wrote:
    > Inclusion of a large number of any RR can cause the problem.

    Yes.

    [snip]
    > suddenly didn't. In short there are a lot of reasons a valid
    > response may
    > not fit with 512 datagrams.

    No dispute here and I am the last to want to forbid large DNS responses. I
    think they should be avoided where possible. I am also of the opinion that
    quite often there are better solutions to the problems leading to them, load
    balancing probably being the most prominent.

    > Not only will this break through various commercial firewalls, but
    > improperly configured opensource variants as well. (Discarded UDP
    > fragments.)

    Well, fragments are a problem of their own, aren't they? I haven't seen a
    consensus on how they should best be treated yet. I wouldn't want to add
    them to this thread.

    I don't have much faith in how today's firewalls handle DNS, so I always use
    proxies and servers that I believe to be secure. However, the DNS standards
    say that DNS UDP responses must not be larger than 512 bytes, so a firewall
    is perfectly compliant if it drops those packets.

    Extending the standards to allow for larger packets or multiple UDP
    datagrams per response could be useful, no disagreement from me there.
    However, it is not necessary for large responses to work, there's a
    mechanism for that there already. So the question is whether the additional
    complexity introduced by the extension of the standards and the expense
    caused to large amounts of deployed software is outweighed by the savings
    they incur.

    Tobias
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    Relevant Pages

    • RE: [fw-wiz] DNS UDP packets > 512 bytes
      ... > Official Internet Protocol Standards", at least as far as this issue goes. ... means to be a "perfectly compliant" device--not just for DNS, ... There are several assumptions common to many firewalls ...
      (Firewall-Wizards)
    • Re: AD/DNS with NAT
      ... Datacenters host servers as Domain Controllers AD2003, DNS, Exchange ... sites with the Net ID they use and how they are connected (VPN, ... every small offices to use NAT in order to keep the private IP range ... Forget Firewalls and forget NAT. ...
      (microsoft.public.windows.server.networking)
    • Re: SBS Unable to resolve domain but Bind can?
      ... The SBS server is unable to resolve some domains ... Using bind or forwarders is out of the question as I would like to ... increases efficiency by allowing DNS to resolve larger DNS responses without ... Large DNS responses are answers that have several CNAME or MX ...
      (microsoft.public.windows.server.dns)
    • Re: 99.9 % of Software/Hardware Firewalls DO-NOT.....
      ... If you're saying that MAC address ... > Internet, because MAC ADDRESSES ARE A LAN issue, not a WAN issue. ... > "Most firewalls do not come preconfigured to block Private Addresses, ... > "...gain entry via DNS UDP, or worse yet, DNS TCP for Zone Transfers"? ...
      (comp.security.firewalls)
    • Re: DNS-Urgent-Help-Please
      ... but the responses are only seen attached to the message (unless ... | i am going to install KTC.COM as the Forest Root Domain, & Install DNS ... Bring New Server. ...
      (microsoft.public.win2000.general)