On 12/13/2011 07:46 AM, babu dheen wrote:
Dear Anand,
In what situation, DNS packet size can exceed more than 512 bytes. In fact, my gateway DNS server should not contact internal DNS server except internal domain name resolution if any user access any internal website through proxy. My proxy is using gateway DNS for name resolution. So if any users access internal website through proxy, proxy will send the name lookup to gateway DNS and gateway DNS will forward the request to internal DNS server.
In this case, will the internal domain DNS query exceed 512 bytes?
Regards
papdheen M


Papdheen,

The firewall is dropping the response packet, the gateway DNS servers are not initiating the query. EDNS can be larger then 512 byte UDP, so it's most likely your internal DNS server is sending the query with EDNS flag set, which triggers the gateway DNS server to respond with a large UDP packet instead of a 512 byte one with truncated flag set, which would then trigger the internal DNS server to run the query again over tcp 53 to get the full response.

With DNSSEC, responses are often over the old 512 byte limit. Most current resolvers will use EDNS flag over UDP to avoid having to duplicate the query over TCP when they get a truncated response over UDP.

So either remove the DNS payload size limit or raise it, update the firewall to support EDNS detection in it's stateful inspection of DNS, or configure your internal DNS resolver to explicitly not use EDNS.

Overview of EDNS:
https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS



-James Keller


--- On *Tue, 13/12/11, Anand Buddhdev /<ana...@ripe.net>/* wrote:


    From: Anand Buddhdev <ana...@ripe.net>
    Subject: Re: Suspecious DNS queries dropped by Firewall
    To: "babu dheen" <babudh...@yahoo.co.in>
    Cc: bind-users@lists.isc.org
    Date: Tuesday, 13 December, 2011, 5:39 PM

    On 13/12/2011 13:04, babu dheen wrote:

    > Hi,
    >
    > Our company users are using internal DNS servers for name resolution
    > and internal DNS servers are configured to forward the DNS query to
    > company gateway DNS servers for external queries
    >
    > User --> internal DNS server ---> gateway DNS server ---> internet
    >
    > But when i look at the firewall hit , i can see gateway DNS
    server is
    > again sending DNS query to internal DNS server and the same is
    denied in
    > firewall with below error
    >
    > Dropped UDP DNS reply from OUTSIDE:<gateway-dns-ip>/53 to
    > DMZ50:<internal-dns-ip>/63953; packet length 526 bytes exceeds
    > configured limit of 512 bytes

    Your firewall is misconfigured. Who said DNS reply packets cannot be
    bigger than 512 bytes? You need to reconfigure your firewall, and
    remove
    that 512-byte limit for DNS queries and responses.



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to