Full Disclosure mailing list archives
Re: Fw: [NTBUGTRAQ] Win 2003 DNS requests makes replies over 512 byte PIX limit
From: Derek Atkins <derek () ihtfp com>
Date: 08 May 2003 17:39:20 -0400
Mathias Gerber <mathias () intergga ch> writes:
Hello hggdh, On Thu, 8 May 2003 12:09:22 -0500 you wrote:FYI. Any ideas?We are running the latest version (6.3.1) on our Cisco PIX and it appears that there is hard limit of 512 bytes on ANY UDP packets arriving on port 53. Everything exceeding that is dropped.AFAIK the DNS uses TCP for larger replys.
Yea, but resolvers normally use a response with the TC-bit set in order to signal the fact that the response was truncated and TCP should be used! If the UDP response is dropped, then a resolver will never see the response and never fall back to TCP. It will timeout and fail instead. Also, it's possible to negotiate larger-than-512-byte UDP packets. For example with EDNS(0) you can use larger UDP packets. Just dropping larger packets is a PIX bug and can cause a DNS black-hole.
mathias
-derek -- Derek Atkins Computer and Internet Security Consultant derek () ihtfp com www.ihtfp.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Fw: [NTBUGTRAQ] Win 2003 DNS requests makes replies over 512 byte PIX limit hggdh (May 08)
- Re: Fw: [NTBUGTRAQ] Win 2003 DNS requests makes replies over 512 byte PIX limit Mathias Gerber (May 08)
- Re: Fw: [NTBUGTRAQ] Win 2003 DNS requests makes replies over 512 byte PIX limit Valdis . Kletnieks (May 08)
- Re: Fw: [NTBUGTRAQ] Win 2003 DNS requests makes replies over 512 byte PIX limit Derek Atkins (May 08)
- Re: Fw: [NTBUGTRAQ] Win 2003 DNS requests makes replies over 512 byte PIX limit hggdh (May 08)
- Re: Fw: [NTBUGTRAQ] Win 2003 DNS requests makes replies over 512 byte PIX limit Mathias Gerber (May 08)