Firewall Wizards mailing list archives
DNS UDP packets > 512 bytes (was: (no subject))
From: "Loomis, Rip" <GILBERT.R.LOOMIS () saic com>
Date: Wed, 19 Feb 2003 14:16:38 -0500
I don't have much faith in how today's firewalls handle DNS, so I always use proxies and servers that I believe to be secure. However, the DNS standards say that DNS UDP responses must not be larger than 512 bytes, so a firewall is perfectly compliant if it drops those packets.
Not true, although it's a common misconception. There is a DNS enhancement (EDNS0) that (if implemented on both an authoritative server and a resolver or recursive server) allows UDP responses larger than 512 bytes. If the two ends of a DNS transaction think that EDNS0 is in use but an intervening network device drops the large packets, then DNS resolution will break. This means that a firewall that drops UDP packets > 512 bytes is *not* "perfectly compliant". Hopefully the firewall implementors are starting to be aware of this... -- Rip Loomis Senior Systems Security Engineer, SAIC Enterprise Security Solutions Brainbench MVP for Internet Security | http://www.brainbench.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- DNS UDP packets > 512 bytes (was: (no subject)) Loomis, Rip (Feb 19)
- <Possible follow-ups>
- RE: DNS UDP packets > 512 bytes (was: (no subject)) Reckhard, Tobias (Feb 20)