Firewall Wizards mailing list archives
Re: Allowing DNS servers to operate behind NetScreen 500
From: Mike Scher <mscher () neohapsis com>
Date: Mon, 17 Feb 2003 10:11:41 -0600 (CST)
On Mon, 17 Feb 2003, Volker Tanger wrote:
Reckhard, Tobias wrote:No, it is not. The reason for my response was that I don't know of any currently relevant reason for DNS responses to be over 512 bytes in size.Well, I've seen - and that was not even signed DNS. The idi... ahem... programmers of that system (mis)used fake hostnames to hold session-ID and shopping basket content. And that easily went beyond UPD packet size quite often. Cacheing did not work with that system either.
Why didn't it respond to TCP? On what little you describe, that arrangement sounds remarkably like the traffic against which firewalls should protect weaker systems. It almost sounds like what a hostile nameserver trying to clear a cache or run it out of memory would do. Responding generally to the thread from here down (and generally agreeing with Tobias): If I start stuffing more data in a transaction than the widely-adopted RFC says I should have, am I implementing an experimental RFC or trying a buffer-overflowing attack? Firewall L7 awareness can't be predictive; nor should it accomodate all possible new variations until they become reasonably widespread. There's L4 modes that most firewalls have -- they will accomodate such shenanigans (doing little more for UDP than opening a time-based window of opportunity triggered and renewed by traffic from the allowed initiator). The basic operating default of a firewall should be strict; yet a good firewall should let an administrator selectively and intelligently allow protocol variance. If you want to mess around with variant UDP protocols, just dumb down the firewall's L7 handling of the protocol in question -- don't encourage the vendor to weaken the established protocol handling by default. Most accomodate this sort of mode. Opining that a new protocol can't be rolled out because firewalls will block the new version is the very reason to select a new port for the new protocol. Asking not only vendors but end-users to constantly update firewalls with no known holes just to accomodate every experimental protocol variant is exceedingly unreasonable. As is asking end users to use broadly open protocol compliance checking. -M -- Michael Brian Scher | Director, Neohapsis Labs mscher () neohapsis com | General Counsel Fax: 773-394-8314 | Vox: 773-394-8310 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Allowing DNS servers to operate behind NetScreen 500, (continued)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 14)
- Re: Allowing DNS servers to operate behind NetScreen 500 tqbf (Feb 15)
- Re: Allowing DNS servers to operate behind NetScreen 500 Paul D. Robertson (Feb 15)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 15)
- Re: DNS vs. Bernstein tqbf (Feb 15)
- Re: DNS and Firewalls Rob Payne (Feb 20)
- Re: DNS Extensions and Firewalls Thomas H. Ptacek (Feb 21)
- Re: DNS Extensions and Firewalls Frank Knobbe (Feb 22)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 14)
- Re: Allowing DNS servers to operate behind NetScreen 500 Volker Tanger (Feb 17)
- Re: Allowing DNS servers to operate behind NetScreen 500 Mike Scher (Feb 17)
- Re: Allowing DNS servers to operate behind NetScreen 500 Chuck Swiger (Feb 17)
- Re: Allowing DNS servers to operate behind NetScreen 500 David Lang (Feb 18)