Full Disclosure mailing list archives

Re: Fw: [NTBUGTRAQ] Win 2003 DNS requests makes replies over 512 byte PIX limit

From: Derek Atkins <derek () ihtfp com>
Date: 08 May 2003 17:39:20 -0400

Mathias Gerber <mathias () intergga ch> writes:

Hello hggdh,
On Thu, 8 May 2003 12:09:22 -0500 you wrote:

FYI. Any ideas?

We are running the latest version (6.3.1) on our Cisco PIX and it
appears that there is hard limit of 512 bytes on ANY UDP packets
arriving on port 53.  Everything exceeding that is dropped.


AFAIK the DNS uses TCP for larger replys.


Yea, but resolvers normally use a response with the TC-bit set in
order to signal the fact that the response was truncated and TCP
should be used!  If the UDP response is dropped, then a resolver will
never see the response and never fall back to TCP.  It will timeout
and fail instead.

Also, it's possible to negotiate larger-than-512-byte UDP packets.
For example with EDNS(0) you can use larger UDP packets.  Just
dropping larger packets is a PIX bug and can cause a DNS black-hole.

mathias


-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek () ihtfp com             www.ihtfp.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Fw: [NTBUGTRAQ] Win 2003 DNS requests makes replies over 512 byte PIX limit hggdh (May 08)
- Re: Fw: [NTBUGTRAQ] Win 2003 DNS requests makes replies over 512 byte PIX limit Mathias Gerber (May 08)
  - Re: Fw: [NTBUGTRAQ] Win 2003 DNS requests makes replies over 512 byte PIX limit Valdis . Kletnieks (May 08)
  - Re: Fw: [NTBUGTRAQ] Win 2003 DNS requests makes replies over 512 byte PIX limit Derek Atkins (May 08)
  - Re: Fw: [NTBUGTRAQ] Win 2003 DNS requests makes replies over 512 byte PIX limit hggdh (May 08)