Firewall Wizards mailing list archives
(no subject)
From: Mike Hoskins <mike () adept org>
Date: Tue, 18 Feb 2003 16:30:58 -0800 (PST)
From: David Lang <david.lang () digitalinsight com> Date: Mon, 17 Feb 2003 20:56:16 -0800 (PST) Subject: Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500
also some large websites don't load balance behind a single IP address, instead they use lots of IP addresses.
<snip>
web:~# dig cnn.com
<snip> Inclusion of a large number of any RR can cause the problem. mail.yahoo.com is a common example I've seen, as a result of a large number of authoritative nameservers. Over time they slowly added more servers... Queries used to fit within 512 datagrams, then one day they suddenly didn't. In short there are a lot of reasons a valid response may not fit with 512 datagrams. Not only will this break through various commercial firewalls, but improperly configured opensource variants as well. (Discarded UDP fragments.) mike@mojo{mike}$ dig mail.yahoo.com <snip> ;; Total query time: 29 msec ;; FROM: mojo.televoke.net to SERVER: default -- 10.0.100.90 ;; WHEN: Tue Feb 18 16:22:08 2003 ;; MSG SIZE sent: 32 rcvd: 522 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- (no subject) Mike Hoskins (Feb 18)
- <Possible follow-ups>
- RE: (no subject) Reckhard, Tobias (Feb 19)
- Re: (no subject) Barney Wolff (Feb 19)