Firewall Wizards mailing list archives
Re: Allowing DNS servers to operate behind NetScreen 500
From: Rob Payne <rnspayne () the-paynes com>
Date: Wed, 12 Feb 2003 21:39:01 -0500
On Tue, Feb 04, 2003 at 09:11:55AM +0100, Ben Nagy wrote:
Sorry, argumentative this morning...
Sorry, I'm responding eight mornings later. ;)
We've been over DNS so many times on this list, I really should have it burned into my brain, but responses that don't fit into one 512 byte UDP packet are supposed to be transmitted with TCP, not transmitted in multiple UDP packets, yes? Also, I was under the impression that 53 is a legal source port for server-to-server queries, whether TCP or UDP. This would mean that you would often see packets from the same port to the same external IP. Of course a true proxy would have no trouble keeping state in that situation, since every request is different...
Ben, RFC 2671 (1999) defines EDNS0, which allows for DNS packets larger than 512 datagrams to be transmitted via UDP by allowing client to advertise larger packet size limitations ("I can handle large packets, I'm a new DNS client.") This means that large packets can be used to transmitted by DNS servers to allow them to avoid falling back to TCP. Of course, this means that the answers to a single query (packet) from a DNS server can be fragmented and sent over multiple UDP packets. The benefits of this are well enumerated in 2671. They include, among other things, heavily loaded servers not having to deal with the much higher connection overhead of TCP-based DNS.
In any case, it's the responsibility of the proxy to get a response and pass that to the client, and if the "only the first packet gets through" theory were true then DNS should work, since all the info should be in the first packet.
Something don't add up.
Nothing personal to anyone, but a lot of firewalls really need to get these kinds of things right. If they do not, firewalls are going to get in the way of (DNS) security when zones start getting signed. (Rhetorical: Has anyone attempted to fit current DNS data plus RSA/SHA1 keys and signatures in packets 512 datagrams long?) -rob
Attachment:
_bin
Description:
Current thread:
- Allowing DNS servers to operate behind NetScreen 500 Gebhart, Glenn (Feb 03)
- <Possible follow-ups>
- RE: Allowing DNS servers to operate behind NetScreen 500 David Klein (Feb 03)
- Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 13)
- Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- RE: Allowing DNS servers to operate behind NetScreen 500 David Klein (Feb 04)
- Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- RE: Allowing DNS servers to operate behind NetScreen 500 Reckhard, Tobias (Feb 14)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 14)
- Re: Allowing DNS servers to operate behind NetScreen 500 tqbf (Feb 15)
- Re: Allowing DNS servers to operate behind NetScreen 500 Paul D. Robertson (Feb 15)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 15)
- Re: DNS vs. Bernstein tqbf (Feb 15)
- Re: DNS and Firewalls Rob Payne (Feb 20)
- Re: DNS Extensions and Firewalls Thomas H. Ptacek (Feb 21)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 14)