RE: [fw-wiz] DNS UDP packets > 512 bytes (was: (no subject))

From: Reckhard, Tobias (tobias.reckhard@secunet.com)
Date: 02/20/03

  • Next message: Carson Gaspar: "Re: [fw-wiz] Query on OS hardening" 
    From: "Reckhard, Tobias" <tobias.reckhard@secunet.com>
To: firewall-wizards@honor.icsalabs.com
Date: Thu, 20 Feb 2003 06:49:19 +0100

    > Not true, although it's a common misconception. There is a
    > DNS enhancement (EDNS0) that (if implemented on both an authoritative
    > server and a resolver or recursive server) allows UDP responses
    > larger than 512 bytes. If the two ends of a DNS transaction
    > think that EDNS0 is in use but an intervening network device
    > drops the large packets, then DNS resolution will break.
    >
    > This means that a firewall that drops UDP packets > 512 bytes
    > is *not* "perfectly compliant". Hopefully the firewall implementors
    > are starting to be aware of this...

    Yes, EDNS0 exists, but AFAIK it's not an Internet Standard (feel free to
    prove me wrong, I'll happily accept being corrected). It's in the standards
    track, but it's not to be found at http://www.rfc-editor.org/rfcxx00.html
    with data as of Feb 19, 2003. Therefore, firewalls that don't support can
    indeed claim to be "perfectly compliant with the Official Internet Protocol
    Standards", at least as far as this issue goes.

    However, since there appears to be an installed base of software that
    supports it, perhaps firewall developers should indeed extend their
    DNS-handling code appropriately.

    Cheers,
    Tobias
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    Relevant Pages

    • Re: For Microsoft Partners and Customers Who Cant Download or Access
      ... to reconfigure the firewall, but to use a static IP on your client ... and to make sure that the DNS server entries on the client are ... Microsoft for msdn2.microsoft.com. ... use a static IP and set the DNS server addresses to the DNS ...
      (microsoft.public.dotnet.general)
    • Re: loss of SOME connectivity
      ... I "think" it is DNS. ... Yes, I can ping the router, AND the ISP DNS. ... I cannot connect the inet cable directly to the server because the inet is ... MS firewall not started. ...
      (microsoft.public.windows.server.sbs)
    • Re: E-Mail Address Cant Receive E-Mail from *Some* External Organizations
      ... The fact that _some_ messages are delivered is because they are sent from different IPs, so double-check your firewall settings. ... So, that looks right to me, anyway; both resolve to the proper IP address of the external interface for our firewall, and the only difference is that for "company.org" our ISP's mail server acts as a backup server in case our internal mail server is down. ... However, if I send a message to "me@xxxxxxxxxxxxxxxx" from my Yahoo e-mail account, I get an NDR returned to my Yahoo account. ... I have checked with our ISP who handles our DNS settings, and they indicate that all appears to be in order with our DNS and MX records. ...
      (microsoft.public.exchange.admin)
    • RE: Firewall Rule Set not allowing access to DNS servers?
      ... I changed the DNS rules as you suggested, and the firewall works perfectly - ... > # Allow out access to my ISP's Domain name server. ... > so your udp packets never match this rule and default to ...
      (freebsd-questions)
    • Re: What can make DNS lookups slow? [semi-solved]
      ... >DLM> You have a ADSL connection to the Internet. ... >DLM> your firewall as eth0. ... >DLM> server machine. ... >DLM> want an authoritative DNS server for this subnet. ...
      (Debian-User)