[fw-wiz] How does your firewall handle DNS messages > 512 octets?
ark at eltex.net
Mon Sep 4 08:30:06 EDT 2006
Its a commercial of my own ;-)
But i use DJB's dnscache with some configuration wrappers that allow me to
control it the unified way. Actually the syntax is inherited from good old
fwtk, something like:
dnsctl: instances dnscache-lo dnscache-int
dnscache-lo: bind 127.0.0.1
dnscache-lo: default-servers some.where.outside
dnscache-lo: zone myzone.int -servers some.where.inside
dnscache-lo: zone 10.IN-ADDR.ARPA -servers some.where.inside
dnscache-lo: permit-hosts 127.0.0.1
dnscache-int: bind 10.0.0.1
Unfortunately the license for DJB tools is quite restrictive, so i cannot
do much anomaly detection beyond what is available out of the box.
It does handle AAAA records ok, at least.
On Wed, Aug 30, 2006 at 03:01:00PM -0400, Dave Piscitello wrote:
> Is this a commercial firewall or roll your own? If commercial which one?
> Does your proxy do protocol anomaly detection? If yes, does it recognize
> AAAA resource records or does it treat them as "out of compliance"?
> ArkanoiD wrote:
> >Well, mine does cache/proxy so there is no packet size restriction
> >per se..
> >On Tue, Aug 29, 2006 at 03:13:34PM -0400, Dave Piscitello wrote:
> >>Hi all,
> >>I am trying to understand how different firewalls behave when they
> >>receive a UDP datagram containing a DNS message that uses EDNS0 (RFC
> >>2671) to support message sizes greater than the 512 maximum specified in
> >>RFC 1035 (original DNS).
> >>- does your firewall block/silently discard such messages by default?
> >>- do you know the command to allow the message if blocked by default?
> >>I've found dozens of claims that firewalls don't handle EDNS0 correctly,
> >>but after a long search, I've only found URLs indicating that Firewall-1
> >>and Pix block by default and have workarounds.
> >>I'm curious whether SonicWall, Netscreen, Symantec, etc. behave
> >>similarly. I'd also be curious to learn the behavior of IPS devices and
> >>DNS proxies (Watchguard, WinProxy, etc).
More information about the firewall-wizards