RE: [fw-wiz] DNS UDP packets > 512 bytes (was: (no subject))

From: Reckhard, Tobias (
Date: 02/20/03

  • Next message: Carson Gaspar: "Re: [fw-wiz] Query on OS hardening"
    From: "Reckhard, Tobias" <>
    Date: Thu, 20 Feb 2003 06:49:19 +0100

    > Not true, although it's a common misconception. There is a
    > DNS enhancement (EDNS0) that (if implemented on both an authoritative
    > server and a resolver or recursive server) allows UDP responses
    > larger than 512 bytes. If the two ends of a DNS transaction
    > think that EDNS0 is in use but an intervening network device
    > drops the large packets, then DNS resolution will break.
    > This means that a firewall that drops UDP packets > 512 bytes
    > is *not* "perfectly compliant". Hopefully the firewall implementors
    > are starting to be aware of this...

    Yes, EDNS0 exists, but AFAIK it's not an Internet Standard (feel free to
    prove me wrong, I'll happily accept being corrected). It's in the standards
    track, but it's not to be found at
    with data as of Feb 19, 2003. Therefore, firewalls that don't support can
    indeed claim to be "perfectly compliant with the Official Internet Protocol
    Standards", at least as far as this issue goes.

    However, since there appears to be an installed base of software that
    supports it, perhaps firewall developers should indeed extend their
    DNS-handling code appropriately.

    firewall-wizards mailing list