John Kristoff wrote:
> After a DNS over TCP discussion a student of mine indicated that they
> recently fixed a problem in their network where DNS messages over 512
> bytes were not being relayed. It appears the root cause has to do with
> some defaults being set common gear that simply drops messages over 512
> bytes. For example:
>
> <http://www.cisco.com/web/about/security/intelligence/dns-bcp.html#5>
>
> !-- Enable a maximum message length to help defeat DNS
> !-- amplification attacks. Note: This is the default
> !-- configuration and value based on RFC 1035.
> !
> message-length maximum 512
Ironically, elsewhere in that same document series:
http://www.cisco.com/web/about/security/intelligence/dnssec.html
Potential Networking Challenges with DNSSEC Deployment
The networking-specific challenges from DNSSEC are largely the
result of the differences mentioned previously: increased packet
sizes, EDNS requirements and the more frequent use of TCP. Many
firewall devices incorrectly limit DNS responses to 512 and prohibit
DNS over TCP. [...]
This is still wrong, though; "and" should be "or", as in "Many firewall
devices incorrectly limit DNS responses to 512 *or* prohibit DNS over
TCP." That document further states:
Connectivity Over UDP and TCP port 53
Because most DNS traffic is sent over UDP port 53, any filtering of
traffic that exists on the network is unlikely to impact future
native DNS traffic that is traversing UDP port 53. However, if DNS
traffic is not currently permitted to traverse TCP port 53, which is
typically used for large DNS packets (that is, those greater than
512 bytes), any issues with DNS traffic over TCP port 53 will be
exacerbated when DNSSEC packets begin arriving on the network,
because many DNSSEC packets will be greater than 512 bytes due to
the additional packet overhead of DNSSEC. If traffic using TCP port
53 is currently not permitted, or is being filtered to or from
specific hosts or networks, then it may be necessary to account for
new hosts and networks that could be sending DNSSEC traffic over TCP
port 53.
This seems to be implying that it's OK to block >512B UDP as long as you
don't *also* block TCP/53 :-(
--
Robert Edmonds
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
