Educause Security Discussion mailing list archives
Re: Windows 2008 Server R2 SECDNS Blocked
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Fri, 25 Sep 2009 10:41:52 -0400
On Thu, 24 Sep 2009 11:14:12 EDT, Daniel Bennett said:
Has anyone run into their DNS traffic being blocked by their firewall because the reply packet from the Root Hints is greater than 512 Bytes?
This usually means the firewall is old and doesn't know about EDNS0,
which is a way for DNS clients to indicate in the query that they
support (among other things) UDP packets bigger than 512. A properly
configured DNS server will do one of two things if the reply is over 512:
1) If EDNS0 was requested, it will reply with the larger packet (it does
so *only* if it knows the destination supports it because it was requested).
2) If not, it sends the short packet and the too-long bit set in the
answer, and the client is supposed to retry via TCP.
This is another "It's been in the pipe for a decade" problem:
2671 Extension Mechanisms for DNS (EDNS0). P. Vixie. August 1999.
(Format: TXT=15257 bytes) (Status: PROPOSED STANDARD)
http://www.faqs.org/rfcs/rfc2671.html
Complain to your vendor. ;)
Attachment:
_bin
Description:
Current thread:
- Windows 2008 Server R2 SECDNS Blocked Daniel Bennett (Sep 24)
- <Possible follow-ups>
- Re: Windows 2008 Server R2 SECDNS Blocked Basgen, Brian (Sep 24)
- Re: Windows 2008 Server R2 SECDNS Blocked Valdis Kletnieks (Sep 25)