[fw-wiz] DNS UDP packets > 512 bytes (was: (no subject))

From: Loomis, Rip (GILBERT.R.LOOMIS@saic.com)
Date: 02/19/03

  • Next message: Barney Wolff: "Re: [fw-wiz] (no subject)" 
    From: "Loomis, Rip" <GILBERT.R.LOOMIS@saic.com>
To: firewall-wizards@honor.icsalabs.com
Date: Wed, 19 Feb 2003 14:16:38 -0500

    > I don't have much faith in how today's firewalls handle DNS,
    > so I always use
    > proxies and servers that I believe to be secure. However, the
    > DNS standards
    > say that DNS UDP responses must not be larger than 512 bytes,
    > so a firewall
    > is perfectly compliant if it drops those packets.

    Not true, although it's a common misconception. There is a
    DNS enhancement (EDNS0) that (if implemented on both an authoritative
    server and a resolver or recursive server) allows UDP responses
    larger than 512 bytes. If the two ends of a DNS transaction
    think that EDNS0 is in use but an intervening network device
    drops the large packets, then DNS resolution will break.

    This means that a firewall that drops UDP packets > 512 bytes
    is *not* "perfectly compliant". Hopefully the firewall implementors
    are starting to be aware of this... 

    --
Rip Loomis
Senior Systems Security Engineer, SAIC Enterprise Security Solutions
Brainbench MVP for Internet Security  |  http://www.brainbench.com  
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    Relevant Pages