(no subject)

[Mike Hoskins <mike () adept org>]

From: David Lang <david.lang () digitalinsight com>
Date: Mon, 17 Feb 2003 20:56:16 -0800 (PST)
Subject: Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500
> also some large websites don't load balance behind a single IP address,
> instead they use lots of IP addresses.
<snip>
> web:~# dig cnn.com
<snip>

Inclusion of a large number of any RR can cause the problem.
mail.yahoo.com is a common example I've seen, as a result of a large
number of authoritative nameservers.  Over time they slowly added more
servers...  Queries used to fit within 512 datagrams, then one day they
suddenly didn't.  In short there are a lot of reasons a valid response may
not fit with 512 datagrams.

Not only will this break through various commercial firewalls, but
improperly configured opensource variants as well.  (Discarded UDP
fragments.)

mike@mojo{mike}$ dig mail.yahoo.com
<snip>
;; Total query time: 29 msec
;; FROM: mojo.televoke.net to SERVER: default -- 10.0.100.90
;; WHEN: Tue Feb 18 16:22:08 2003
;; MSG SIZE  sent: 32  rcvd: 522

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards