Firewall Wizards mailing list archives

DNS UDP packets > 512 bytes (was: (no subject))

From: "Loomis, Rip" <GILBERT.R.LOOMIS () saic com>
Date: Wed, 19 Feb 2003 14:16:38 -0500

I don't have much faith in how today's firewalls handle DNS, 
so I always use
proxies and servers that I believe to be secure. However, the 
DNS standards
say that DNS UDP responses must not be larger than 512 bytes, 
so a firewall
is perfectly compliant if it drops those packets.


Not true, although it's a common misconception.  There is a
DNS enhancement (EDNS0) that (if implemented on both an authoritative
server and a resolver or recursive server) allows UDP responses
larger than 512 bytes.  If the two ends of a DNS transaction
think that EDNS0 is in use but an intervening network device
drops the large packets, then DNS resolution will break.

This means that a firewall that drops UDP packets > 512 bytes
is *not* "perfectly compliant".  Hopefully the firewall implementors
are starting to be aware of this...

--
Rip Loomis
Senior Systems Security Engineer, SAIC Enterprise Security Solutions
Brainbench MVP for Internet Security  |  http://www.brainbench.com  
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

DNS UDP packets > 512 bytes (was: (no subject)) Loomis, Rip (Feb 19)
- <Possible follow-ups>
- RE: DNS UDP packets > 512 bytes (was: (no subject)) Reckhard, Tobias (Feb 20)