Firewall Wizards mailing list archives
Re: (no subject)
From: Barney Wolff <barney () pit databus com>
Date: Wed, 19 Feb 2003 15:38:02 -0500
On Wed, Feb 19, 2003 at 06:50:26AM +0100, Reckhard, Tobias wrote:
I don't have much faith in how today's firewalls handle DNS, so I always use proxies and servers that I believe to be secure. However, the DNS standards say that DNS UDP responses must not be larger than 512 bytes, so a firewall is perfectly compliant if it drops those packets.
This is no longer true; see RFCs 2671 & 3226. A firewall that drops UDP over 512 is impeding functionality with no offsetting gain in security. Handling fragments is a more interesting case, but certainly an unfragmented UDP DNS response should not be dropped simply because of its size. DNS should be handled by an ALG (eg a caching server) at the firewall, to protect vulnerable implementations inside. That precaution is quite independent of response size. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- (no subject) Mike Hoskins (Feb 18)
- <Possible follow-ups>
- RE: (no subject) Reckhard, Tobias (Feb 19)
- Re: (no subject) Barney Wolff (Feb 19)