Re: [fw-wiz] (no subject)
From: Barney Wolff (barney@pit.databus.com)
Date: 02/19/03
- Previous message: Loomis, Rip: "[fw-wiz] DNS UDP packets > 512 bytes (was: (no subject))"
- In reply to: Reckhard, Tobias: "RE: [fw-wiz] (no subject)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Barney Wolff <barney@pit.databus.com> Date: Wed, 19 Feb 2003 15:38:02 -0500
On Wed, Feb 19, 2003 at 06:50:26AM +0100, Reckhard, Tobias wrote:
>
> I don't have much faith in how today's firewalls handle DNS, so I always use
> proxies and servers that I believe to be secure. However, the DNS standards
> say that DNS UDP responses must not be larger than 512 bytes, so a firewall
> is perfectly compliant if it drops those packets.
This is no longer true; see RFCs 2671 & 3226. A firewall that drops
UDP over 512 is impeding functionality with no offsetting gain in
security. Handling fragments is a more interesting case, but certainly
an unfragmented UDP DNS response should not be dropped simply because
of its size.
DNS should be handled by an ALG (eg a caching server) at the firewall,
to protect vulnerable implementations inside. That precaution is quite
independent of response size.
-- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Next message: Rob Payne: "Re: [fw-wiz] DNS and Firewalls"
- Previous message: Loomis, Rip: "[fw-wiz] DNS UDP packets > 512 bytes (was: (no subject))"
- In reply to: Reckhard, Tobias: "RE: [fw-wiz] (no subject)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
