Home page logo
/

firewall-wizards logo Firewall Wizards mailing list archives

Re: How does your firewall handle DNS messages > 512 octets?
From: ArkanoiD <ark () eltex net>
Date: Mon, 4 Sep 2006 16:30:06 +0400

nuqneH,

Its a commercial of my own ;-)

But i use DJB's dnscache with some configuration wrappers that allow me to
control it the unified way. Actually the syntax is inherited from good old
fwtk, something like:

dnsctl:         instances dnscache-lo dnscache-int
dnscache-lo:    bind 127.0.0.1
dnscache-lo:    default-servers some.where.outside
dnscache-lo:    zone myzone.int -servers some.where.inside
dnscache-lo:    zone 10.IN-ADDR.ARPA -servers some.where.inside
dnscache-lo:    permit-hosts 127.0.0.1
dnscache-int:   bind 10.0.0.1
..

Unfortunately the license for DJB tools is quite restrictive, so i cannot
do much anomaly detection beyond what is available out of the box.

It does handle AAAA records ok, at least.

On Wed, Aug 30, 2006 at 03:01:00PM -0400, Dave Piscitello wrote:
Is this a commercial firewall or roll your own? If commercial which one?

Does your proxy do protocol anomaly detection? If yes, does it recognize 
 AAAA resource records or does it treat them as "out of compliance"?

ArkanoiD wrote:
nuqneH,

Well, mine does cache/proxy so there is no packet size restriction 
per se..

On Tue, Aug 29, 2006 at 03:13:34PM -0400, Dave Piscitello wrote:
Hi all,

I am trying to understand how different firewalls behave when they 
receive a UDP datagram containing a DNS message that uses EDNS0 (RFC 
2671) to support message sizes greater than the 512 maximum specified in 
RFC 1035 (original DNS).

Specifically,

- does your firewall block/silently discard such messages by default?
- do you know the command to allow the message if blocked by default?

I've found dozens of claims that firewalls don't handle EDNS0 correctly, 
but after a long search, I've only found URLs indicating that Firewall-1 
and Pix block by default and have workarounds.

I'm curious whether SonicWall, Netscreen, Symantec, etc. behave 
similarly. I'd also be curious to learn the behavior of IPS devices and 
DNS proxies (Watchguard, WinProxy, etc).







_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault