Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How does your firewall handle DNS messages > 512 oct ets?

From: "Horvath, Kevin M." <KEVIN.M.HORVATH () saic com>
Date: Wed, 30 Aug 2006 12:30:16 -0400
Dave,

As for the Pix it is configurable to allow dns max packet length to be
greater than the default of 512 bytes.  Anything over the configured length
will be silently drop. It can also be disabled in which it will treat it as
any other UDP packet and not worry about length.  I am not familiar enough
on the other firewalls to say but remember google is your friend.  Hope this
helps in your quest.

Kevin M. Horvath
CISSP, CCSP, GCIH, INFOSEC, CQS-FW, CQS-VPN, CQS-IDS, CCNA
SAIC Integrated Security and Systems

-----Original Message-----
From: firewall-wizards-bounces () listserv cybertrust com
[mailto:firewall-wizards-bounces () listserv cybertrust com] On Behalf Of Dave
Piscitello
Sent: Tuesday, August 29, 2006 3:14 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] How does your firewall handle DNS messages > 512 octets?

Hi all,

I am trying to understand how different firewalls behave when they 
receive a UDP datagram containing a DNS message that uses EDNS0 (RFC 
2671) to support message sizes greater than the 512 maximum specified in 
RFC 1035 (original DNS).

Specifically,

- does your firewall block/silently discard such messages by default?
- do you know the command to allow the message if blocked by default?

I've found dozens of claims that firewalls don't handle EDNS0 correctly, 
but after a long search, I've only found URLs indicating that Firewall-1 
and Pix block by default and have workarounds.

I'm curious whether SonicWall, Netscreen, Symantec, etc. behave 
similarly. I'd also be curious to learn the behavior of IPS devices and 
DNS proxies (Watchguard, WinProxy, etc).

You can send replies directly to me and I'll compile responses and post 
to the list to save electrons.

Thanks in advance,

Dave

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: