Suspecious DNS queries dropped by Firewall

Kevin Oberman kob6558 at
Wed Dec 14 20:45:14 UTC 2011

On Wed, Dec 14, 2011 at 3:51 AM, babu dheen <babudheen at> wrote:

> In this case, do you think that internal users trying to send emails
> directly to internet?
> Email delivery is taken care by Email Gateway device, obviously, DKIM
> verification (if enabled) can only be done by Email gateway of my
> company... How does internal client make DKIM query which uses the TXT
> record in DNS ?
> Can you tell me list of URL which size exceed 514 bytes to verify whether
> my internal server truncate/return failure code when query such URL using
> UDP query?


You are missing the point. DKIM records were only provided as an example of
responses that will exceed 512 bytes.  Any query might get such a response.
There is no way of knowing exactly how much data will be returned with
modern DNS servers, especially with DNSSEC. But, even a simple address
query might return over 512 bytes of data.

The removal of the 512 byte limit on DNS packets is well over a decade old
and dancing around it is a losing proposition. You must either fix your
firewall (the right solution) or set your servers to NOT set the EDNS flag
(a work-around that will probably continue to be fragile).
R. Kevin Oberman, Network Engineer
E-mail: kob6558 at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list