RE: (no subject)

["Reckhard, Tobias" <tobias.reckhard () secunet com>]

On Wednesday, February 19, 2003 1:31 AM, Mike Hoskins wrote:
> Inclusion of a large number of any RR can cause the problem.

Yes.

[snip]
> suddenly didn't.  In short there are a lot of reasons a valid 
> response may
> not fit with 512 datagrams.

No dispute here and I am the last to want to forbid large DNS responses. I
think they should be avoided where possible. I am also of the opinion that
quite often there are better solutions to the problems leading to them, load
balancing probably being the most prominent.

> Not only will this break through various commercial firewalls, but
> improperly configured opensource variants as well.  (Discarded UDP
> fragments.)

Well, fragments are a problem of their own, aren't they? I haven't seen a
consensus on how they should best be treated yet. I wouldn't want to add
them to this thread.

I don't have much faith in how today's firewalls handle DNS, so I always use
proxies and servers that I believe to be secure. However, the DNS standards
say that DNS UDP responses must not be larger than 512 bytes, so a firewall
is perfectly compliant if it drops those packets.

Extending the standards to allow for larger packets or multiple UDP
datagrams per response could be useful, no disagreement from me there.
However, it is not necessary for large responses to work, there's a
mechanism for that there already. So the question is whether the additional
complexity introduced by the extension of the standards and the expense
caused to large amounts of deployed software is outweighed by the savings
they incur.

Tobias
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards