Firewall Wizards mailing list archives
How does your firewall handle DNS messages > 512 octets?
From: Dave Piscitello <dave () corecom com>
Date: Tue, 29 Aug 2006 15:13:34 -0400
Hi all,I am trying to understand how different firewalls behave when they receive a UDP datagram containing a DNS message that uses EDNS0 (RFC 2671) to support message sizes greater than the 512 maximum specified in RFC 1035 (original DNS).
Specifically, - does your firewall block/silently discard such messages by default? - do you know the command to allow the message if blocked by default?I've found dozens of claims that firewalls don't handle EDNS0 correctly, but after a long search, I've only found URLs indicating that Firewall-1 and Pix block by default and have workarounds.
I'm curious whether SonicWall, Netscreen, Symantec, etc. behave similarly. I'd also be curious to learn the behavior of IPS devices and DNS proxies (Watchguard, WinProxy, etc).
You can send replies directly to me and I'll compile responses and post to the list to save electrons.
Thanks in advance, Dave
Attachment:
dave.vcf
Description:
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- How does your firewall handle DNS messages > 512 octets? Dave Piscitello (Aug 30)
- Re: How does your firewall handle DNS messages > 512 octets? Aaron Smith (Aug 31)
- Re: How does your firewall handle DNS messages > 512 octets? ArkanoiD (Aug 31)
- Re: How does your firewall handle DNS messages > 512 octets? Dave Piscitello (Aug 31)