[fw-wiz] How does your firewall handle DNS messages > 512 octets?

ArkanoiD ark at eltex.net
Mon Sep 4 08:30:06 EDT 2006


nuqneH,

Its a commercial of my own ;-)

But i use DJB's dnscache with some configuration wrappers that allow me to
control it the unified way. Actually the syntax is inherited from good old
fwtk, something like:

dnsctl:         instances dnscache-lo dnscache-int
dnscache-lo:    bind 127.0.0.1
dnscache-lo:    default-servers some.where.outside
dnscache-lo:	zone myzone.int -servers some.where.inside
dnscache-lo:	zone 10.IN-ADDR.ARPA -servers some.where.inside
dnscache-lo:    permit-hosts 127.0.0.1
dnscache-int:   bind 10.0.0.1
..

Unfortunately the license for DJB tools is quite restrictive, so i cannot
do much anomaly detection beyond what is available out of the box.

It does handle AAAA records ok, at least.

On Wed, Aug 30, 2006 at 03:01:00PM -0400, Dave Piscitello wrote:
> Is this a commercial firewall or roll your own? If commercial which one?
> 
> Does your proxy do protocol anomaly detection? If yes, does it recognize 
>  AAAA resource records or does it treat them as "out of compliance"?
> 
> ArkanoiD wrote:
> >nuqneH,
> >
> >Well, mine does cache/proxy so there is no packet size restriction 
> >per se..
> >
> >On Tue, Aug 29, 2006 at 03:13:34PM -0400, Dave Piscitello wrote:
> >>Hi all,
> >>
> >>I am trying to understand how different firewalls behave when they 
> >>receive a UDP datagram containing a DNS message that uses EDNS0 (RFC 
> >>2671) to support message sizes greater than the 512 maximum specified in 
> >>RFC 1035 (original DNS).
> >>
> >>Specifically,
> >>
> >>- does your firewall block/silently discard such messages by default?
> >>- do you know the command to allow the message if blocked by default?
> >>
> >>I've found dozens of claims that firewalls don't handle EDNS0 correctly, 
> >>but after a long search, I've only found URLs indicating that Firewall-1 
> >>and Pix block by default and have workarounds.
> >>
> >>I'm curious whether SonicWall, Netscreen, Symantec, etc. behave 
> >>similarly. I'd also be curious to learn the behavior of IPS devices and 
> >>DNS proxies (Watchguard, WinProxy, etc).
> >
> >
> >






More information about the firewall-wizards mailing list