Re: [fw-wiz] How does your firewall handle DNS messages > 512 octets?
- From: Aaron Smith <smitha@xxxxxxxx>
- Date: Wed, 30 Aug 2006 10:47:22 -0600
We use a PIX, but rather than change its config we chose this:
C:\dnscmd DNSSERVER/Config /EnableEDnsProbes 0
Much easier and DNS still "just works."
@@ron Smith
On Tue, 2006-08-29 at 15:13 -0400, Dave Piscitello wrote:
Hi all,_______________________________________________
I am trying to understand how different firewalls behave when they
receive a UDP datagram containing a DNS message that uses EDNS0 (RFC
2671) to support message sizes greater than the 512 maximum specified in
RFC 1035 (original DNS).
Specifically,
- does your firewall block/silently discard such messages by default?
- do you know the command to allow the message if blocked by default?
I've found dozens of claims that firewalls don't handle EDNS0 correctly,
but after a long search, I've only found URLs indicating that Firewall-1
and Pix block by default and have workarounds.
I'm curious whether SonicWall, Netscreen, Symantec, etc. behave
similarly. I'd also be curious to learn the behavior of IPS devices and
DNS proxies (Watchguard, WinProxy, etc).
You can send replies directly to me and I'll compile responses and post
to the list to save electrons.
Thanks in advance,
Dave
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- Next by Date: Re: [fw-wiz] How does your firewall handle DNS messages > 512 octets?
- Next by thread: Re: [fw-wiz] How does your firewall handle DNS messages > 512 octets?
- Index(es):
Relevant Pages
|
|
