On 12/13/2011 07:46 AM, babu dheen wrote:
Dear Anand,
In what situation, DNS packet size can exceed more than 512 bytes. In
fact, my gateway DNS server should not contact internal DNS server
except internal domain name resolution if any user access any internal
website through proxy.
My proxy is using gateway DNS for name resolution. So if any users
access internal website through proxy, proxy will send the name lookup
to gateway DNS and gateway DNS will forward the request to internal
DNS server.
In this case, will the internal domain DNS query exceed 512 bytes?
Regards
papdheen M
Papdheen,
The firewall is dropping the response packet, the gateway DNS servers
are not initiating the query. EDNS can be larger then 512 byte UDP, so
it's most likely your internal DNS server is sending the query with EDNS
flag set, which triggers the gateway DNS server to respond with a large
UDP packet instead of a 512 byte one with truncated flag set, which
would then trigger the internal DNS server to run the query again over
tcp 53 to get the full response.
With DNSSEC, responses are often over the old 512 byte limit. Most
current resolvers will use EDNS flag over UDP to avoid having to
duplicate the query over TCP when they get a truncated response over UDP.
So either remove the DNS payload size limit or raise it, update the
firewall to support EDNS detection in it's stateful inspection of DNS,
or configure your internal DNS resolver to explicitly not use EDNS.
Overview of EDNS:
https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS
-James Keller
--- On *Tue, 13/12/11, Anand Buddhdev /<ana...@ripe.net>/* wrote:
From: Anand Buddhdev <ana...@ripe.net>
Subject: Re: Suspecious DNS queries dropped by Firewall
To: "babu dheen" <babudh...@yahoo.co.in>
Cc: bind-users@lists.isc.org
Date: Tuesday, 13 December, 2011, 5:39 PM
On 13/12/2011 13:04, babu dheen wrote:
> Hi,
>
> Our company users are using internal DNS servers for name resolution
> and internal DNS servers are configured to forward the DNS query to
> company gateway DNS servers for external queries
>
> User --> internal DNS server ---> gateway DNS server ---> internet
>
> But when i look at the firewall hit , i can see gateway DNS
server is
> again sending DNS query to internal DNS server and the same is
denied in
> firewall with below error
>
> Dropped UDP DNS reply from OUTSIDE:<gateway-dns-ip>/53 to
> DMZ50:<internal-dns-ip>/63953; packet length 526 bytes exceeds
> configured limit of 512 bytes
Your firewall is misconfigured. Who said DNS reply packets cannot be
bigger than 512 bytes? You need to reconfigure your firewall, and
remove
that 512-byte limit for DNS queries and responses.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
