Re: [fw-wiz] How does your firewall handle DNS messages > 512 octets?

From: Dave Piscitello <dave@xxxxxxxxxxx>
Date: Wed, 30 Aug 2006 15:01:00 -0400

Is this a commercial firewall or roll your own? If commercial which one?

Does your proxy do protocol anomaly detection? If yes, does it recognize AAAA resource records or does it treat them as "out of compliance"?

ArkanoiD wrote:

nuqneH,

Well, mine does cache/proxy so there is no packet size restriction per se..

On Tue, Aug 29, 2006 at 03:13:34PM -0400, Dave Piscitello wrote:
Hi all,

I am trying to understand how different firewalls behave when they receive a UDP datagram containing a DNS message that uses EDNS0 (RFC 2671) to support message sizes greater than the 512 maximum specified in RFC 1035 (original DNS).

Specifically,

- does your firewall block/silently discard such messages by default?
- do you know the command to allow the message if blocked by default?

I've found dozens of claims that firewalls don't handle EDNS0 correctly, but after a long search, I've only found URLs indicating that Firewall-1 and Pix block by default and have workarounds.

I'm curious whether SonicWall, Netscreen, Symantec, etc. behave similarly. I'd also be curious to learn the behavior of IPS devices and DNS proxies (Watchguard, WinProxy, etc).

begin:vcard
fn:David Piscitello
n:Piscitello;David
adr;dom:;;3 Myrtle Bank Lane;Hilton Head;SC;29926
email;internet:dave@xxxxxxxxxxx
x-mozilla-html:FALSE
url:http://hhi.corecom.com/weblogindex.htm
version:2.1
end:vcard

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Follow-Ups:
- Re: [fw-wiz] How does your firewall handle DNS messages > 512 octets?
  - From: ArkanoiD
- Re: [fw-wiz] How does your firewall handle DNS messages > 512 octets?
  - From: Patrick M. Hausen

References:
- Re: [fw-wiz] How does your firewall handle DNS messages > 512 octets?
  - From: ArkanoiD

Prev by Date: Re: [fw-wiz] How does your firewall handle DNS messages > 512 octets?
Next by Date: Re: [fw-wiz] Possible to do torrents through firewalls and via a proxy?
Previous by thread: Re: [fw-wiz] How does your firewall handle DNS messages > 512 octets?
Next by thread: Re: [fw-wiz] How does your firewall handle DNS messages > 512 octets?
Index(es):
- Date
- Thread

Relevant Pages

Re: Windows Firewall
... > Using XP Home with Microsoft firewall installed and turned on. ... > another commercial firewall? ... else using your computer) might download and install inadvertently. ... questionable out-going signals. ...
(microsoft.public.windowsxp.help_and_support)
Re: ZoneAlarm shuts down my DSL connection
... "It should be noted that Windows Firewall is not as secure as MS would ... want you to believe since it does half the job a commercial firewall ... Firewall only blocks or patrols incoming traffic and it can be easily ...
(comp.security.firewalls)
Re: Win XP SP2
... CMAR typed: ... > commercial firewall on one's system? ... You achieve no extra protection, ... third-party firewall will also monitor outbound traffic, ...
(microsoft.public.windowsxp.configuration_manage)
Re: Win XP SP2
... CMAR typed: ... > commercial firewall on one's system? ... You achieve no extra protection, ... third-party firewall will also monitor outbound traffic, ...
(microsoft.public.windowsxp.general)
Website setup questions.
... Create firewall rule to direct HTTP port 80 to the SBS External NIC ... Create firewall rule to point DNS port 53 to the SBS External NIC ... NICS to get this request to not timeout or be refused. ...
(microsoft.public.windows.server.sbs)