Firewall Wizards mailing list archives

Re: Allowing DNS servers to operate behind NetScreen 500

From: Rob Payne <rnspayne () the-paynes com>
Date: Wed, 12 Feb 2003 21:39:01 -0500

On Tue, Feb 04, 2003 at 09:11:55AM +0100, Ben Nagy wrote:

Sorry, argumentative this morning...


Sorry, I'm responding eight mornings later. ;)

We've been over DNS so many times on this list, I really should have it
burned into my brain, but responses that don't fit into one 512 byte UDP
packet are supposed to be transmitted with TCP, not transmitted in multiple
UDP packets, yes? Also, I was under the impression that 53 is a legal source
port for server-to-server queries, whether TCP or UDP. This would mean that
you would often see packets from the same port to the same external IP. Of
course a true proxy would have no trouble keeping state in that situation,
since every request is different...


Ben,

RFC 2671 (1999) defines EDNS0, which allows for DNS packets larger
than 512 datagrams to be transmitted via UDP by allowing client to
advertise larger packet size limitations ("I can handle large packets,
I'm a new DNS client.")  This means that large packets can be used to
transmitted by DNS servers to allow them to avoid falling back to TCP.
Of course, this means that the answers to a single query (packet) from
a DNS server can be fragmented and sent over multiple UDP packets.
The benefits of this are well enumerated in 2671.  They include, among
other things, heavily loaded servers not having to deal with the much
higher connection overhead of TCP-based DNS.

In any case, it's the responsibility of the proxy to get a response and pass
that to the client, and if the "only the first packet gets through" theory
were true then DNS should work, since all the info should be in the first
packet.

Something don't add up.


Nothing personal to anyone, but a lot of firewalls really need to get
these kinds of things right.  If they do not, firewalls are going to
get in the way of (DNS) security when zones start getting signed.
(Rhetorical: Has anyone attempted to fit current DNS data plus
RSA/SHA1 keys and signatures in packets 512 datagrams long?)

                                 -rob

Attachment: _bin
Description:

Current thread:

Allowing DNS servers to operate behind NetScreen 500 Gebhart, Glenn (Feb 03)
- <Possible follow-ups>
- RE: Allowing DNS servers to operate behind NetScreen 500 David Klein (Feb 03)
  - Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
    - Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 13)
- RE: Allowing DNS servers to operate behind NetScreen 500 David Klein (Feb 04)
  - Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- RE: Allowing DNS servers to operate behind NetScreen 500 Reckhard, Tobias (Feb 14)
  - Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 14)
    - Re: Allowing DNS servers to operate behind NetScreen 500 tqbf (Feb 15)
    - Re: Allowing DNS servers to operate behind NetScreen 500 Paul D. Robertson (Feb 15)
    - Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 15)
    - Re: DNS vs. Bernstein tqbf (Feb 15)
    - Re: DNS and Firewalls Rob Payne (Feb 20)
    - Re: DNS Extensions and Firewalls Thomas H. Ptacek (Feb 21)

(Thread continues...)