Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: (no subject)

From: Barney Wolff <barney () pit databus com>
Date: Wed, 19 Feb 2003 15:38:02 -0500
On Wed, Feb 19, 2003 at 06:50:26AM +0100, Reckhard, Tobias wrote:


I don't have much faith in how today's firewalls handle DNS, so I always use
proxies and servers that I believe to be secure. However, the DNS standards
say that DNS UDP responses must not be larger than 512 bytes, so a firewall
is perfectly compliant if it drops those packets.


This is no longer true; see RFCs 2671 & 3226.  A firewall that drops
UDP over 512 is impeding functionality with no offsetting gain in
security.  Handling fragments is a more interesting case, but certainly
an unfragmented UDP DNS response should not be dropped simply because
of its size.

DNS should be handled by an ALG (eg a caching server) at the firewall,
to protect vulnerable implementations inside.  That precaution is quite
independent of response size.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: